In Apache 2.4, SSLCARevocationCheck directive was added to mod_ssl, which defaults it to none and must be explicitly configured. This setting enables checking of a certificate revocation list. The default Puppet master vhost config shipped with Puppet does not include this setting. If a Puppet master is set up to run with Apache 2.4, and this default vhost configuration file is used, the Puppet master will continue to honor a host's certificate even after it is revoked.
CVSSv2 Score: 3.1
Affected Software Versions: