--- loncom/lond	2018/03/23 01:02:22	1.543
+++ loncom/lond	2018/08/07 17:12:09	1.545
@@ -2,7 +2,7 @@
 # The LearningOnline Network
 # lond "LON Daemon" Server (port "LOND" 5663)
 #
-# $Id: lond,v 1.543 2018/03/23 01:02:22 raeburn Exp $
+# $Id: lond,v 1.545 2018/08/07 17:12:09 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -65,7 +65,7 @@ my $DEBUG = 0;		       # Non zero to ena
 my $status='';
 my $lastlog='';
 
-my $VERSION='$Revision: 1.543 $'; #' stupid emacs
+my $VERSION='$Revision: 1.545 $'; #' stupid emacs
 my $remoteVERSION;
 my $currenthostid="default";
 my $currentdomainid;
@@ -108,6 +108,10 @@ my %perlvar;			# Will have the apache co
 my %secureconf;                 # Will have requirements for security 
                                 # of lond connections
 
+my %crlchecked;                 # Will contain clients for which the client's SSL
+                                # has been checked against the cluster's Certificate
+                                # Revocation List.
+
 my $dist;
 
 #
@@ -420,10 +424,18 @@ sub SSLConnection {
     Debug("Approving promotion -> ssl");
     #  And do so:
 
+    my $CRLFile;
+    unless ($crlchecked{$clientname}) {
+        $CRLFile = lonssl::CRLFile();
+        $crlchecked{$clientname} = 1;
+    }
+
     my $SSLSocket = lonssl::PromoteServerSocket($Socket,
 						$CACertificate,
 						$Certificate,
-						$KeyFile);
+						$KeyFile,
+						$clientname,
+                                                $CRLFile);
     if(! ($SSLSocket) ) {	# SSL socket promotion failed.
 	my $err = lonssl::LastError();
 	&logthis("<font color=\"red\"> CRITICAL "
@@ -6992,10 +7004,10 @@ sub UpdateHosts {
 
     my %oldconf = %secureconf;
     my %connchange;
-    if (lonssl::Read_Connect_Config(\%secureconf,\%perlvar) eq 'ok') {
-        logthis('<font color="blue"> Reloaded SSL connection rules </font>');
+    if (lonssl::Read_Connect_Config(\%secureconf,\%crlchecked,\%perlvar) eq 'ok') {
+        logthis('<font color="blue"> Reloaded SSL connection rules and cleared CRL checking history </font>');
     } else {
-        logthis('<font color="yellow"> Failed to reload SSL connection rules </font>');
+        logthis('<font color="yellow"> Failed to reload SSL connection rules and clear CRL checking history </font>');
     }
     if ((ref($oldconf{'connfrom'}) eq 'HASH') && (ref($secureconf{'connfrom'}) eq 'HASH')) {
         foreach my $type ('dom','intdom','other') {
@@ -7274,7 +7286,7 @@ if ($arch eq 'unknown') {
     chomp($arch);
 }
 
-unless (lonssl::Read_Connect_Config(\%secureconf,\%perlvar) eq 'ok') {
+unless (lonssl::Read_Connect_Config(\%secureconf,\%crlchecked,\%perlvar) eq 'ok') {
     &logthis('<font color="blue">No connectionrules table. Will fallback to loncapa.conf</font>');
 }
 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at 
 root@localhost to inform them of the time this error occurred,
 and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
</body></html>