[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CRL Certificate



Donn Cave wrote:
On Nov 7, 2006, at 1:55 PM, Quanah Gibson-Mount wrote:
--On Tuesday, November 07, 2006 10:32 PM +0100 Turbo Fredriksson <turbo@bayour.com> wrote:
Quoting Howard Chu <hyc@symas.com>:
...
Read the slapd.conf(5) manpage again, look for the TLSCRLCheck keyword.

Doesn't exist in man manual. When did that come? I'm running OpenLDAP v2.2.28.

I'm guessing 2.3, since it is the man page there. You may want to consider upgrading.

Also note that SSL version may play a role in this - won't be supported with OpenSSL 0.9.7c or lower. Some common Linux distributions install 0.9.7b.

True. On older OpenSSL distributions the TLSCRLCheck keyword will not be recognized, and should trigger an error when parsing slapd.conf.


Once you get it working, it's a bit of trouble to keep it working,
unless there's some way I don't know to import the CRL without
restarting the server.  Since the CRL will regularly expire, you
can't just let it go - even if you have nothing to add to it, you
have to update it and restart.  You can avoid that particular problem
by making an exception for X509_V_ERR_CRL_HAS_EXPIRED, in
tls.c:tls_verify_cb(), but that will help only if your CRL is not
very active.

I don't think it's OpenLDAP's fault, OpenSSL X509_STORE_add_crl()
wouldn't update an existing CRL anyway.  I proposed a fix to that,
but don't believe I got any response.

Yes, I see this is still true in the current release (OpenSSL 0.9.8d) as well. Googling the OpenSSL mailing lists doesn't turn up your proposed fix, have you got a pointer to that?


--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/