http: Update comment about CRL verification by socket ssl context.

caucase/http.py

@@ -226,15 +226,13 @@ def getSSLContext(
   # If a client wishes to use https for unauthenticated operations, that's
   # fine too.
   ssl_context.verify_mode = ssl.CERT_OPTIONAL
-  # Note: it does not seem possible to get python's openssl context to check
-  # certificate revocation:
-  # - calling load_verify_locations(cadata=<crl data>) or
-  #   load_verify_locations(cadata=<crl data> + <ca crt data>) raises
-  # - calling load_verify_locations(cadata=<ca crt data> + <crl data>) fails to
-  #   validate CA completely
-  # Anyway, wsgi application level is supposed (and automatically tested to)
-  # verify revocations too, so this should not be a big issue... Still,
-  # implementation cross-check would have been nice.
+  # Note: python's standard ssl module does not provide a way to replace the
+  # current CRL file on an existing openssl context: load_verify_locations ends
+  # up calling X509_STORE_add_crl, which either adds the CRL to its list of
+  # files or rejects the file. So either memory usage with increase until
+  # context gets renewed, or we get stuck with an old CRL. So expect wsgi
+  # application to implement these checks on its own when accessing client's
+  # certificate.
   #ssl_context.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
   ssl_context.load_verify_locations(
     cadata=utils.toUnicode(cau.getCACertificate()),