Yes, this is bad.
On the upside, this is an implementation problem and thus relatively easy to fix (versus spec problems).
Hanno, what’s the response from Apache folks?
To the existing bug reports the response was mostly silence.
My outside impression is this code is practically unmaintained and the apache folks don’t care that much.
There’s a better way of solving the certificate revocation problem: http://www.ccs.neu.edu/home/cbw/static/pdf/larisch-oakland17.pdf