[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CRL expiration

To: Matt Kelley <mgk333@hotmail.com>
Subject: Re: CRL expiration
From: Aaron Richton <richton@nbcs.rutgers.edu>
Date: Wed, 5 Dec 2007 19:21:17 -0500 (EST)
Cc: openldap-software@openldap.org
In-reply-to: <BAY113-DAV207CB723C46188FD032FE79D6E0@phx.gbl>, <000f01c8378b$97eef1a0$284c10ac@rocketsoftware.com>
References: <BAY113-DAV207CB723C46188FD032FE79D6E0@phx.gbl>, <000f01c8378b$97eef1a0$284c10ac@rocketsoftware.com>

I think this was discussed on the list (probably as part of 2.4 TLS enhancements), but I don't recall the outcome.

My first evil idea, though, would be to try to kick your TLS config using back-config...hopefully that rehashes everything?

On Wed, 5 Dec 2007, Matt Kelley wrote:

I am using OpenLDAP 2.3.39.  I have enabled CRL checking by including
"TLSCRLCheck peer" in my slapd.conf file.  I am having a problem when
CRLs expire.  I find that, after retrieving an updated CRL, I must
restart slapd in order for it to be used.  This seems to be true
whether using TLSCACertificateFile or TLSCACertificatePath.  Is this
expected?  Is there any way to update CRLs (or certificates, for that
matter) without recycling slapd?

Thanks in advance,
Matt

References:
- CRL expiration
  - From: "Matt Kelley" <mgk333@hotmail.com>

Prev by Date: Re: sync replication fails
Next by Date: Re: CRL expiration
Index(es):
- Chronological
- Thread