[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CRL question

To: joakim@comex.se
Subject: Re: CRL question
From: Michael Ströder <michael@stroeder.com>
Date: Wed, 10 Jun 2009 10:50:34 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <5A1130E01BBE394AAF1176F4AA3B242F701231@mailsrv.internt.comex.se>
References: <5A1130E01BBE394AAF1176F4AA3B242F701231@mailsrv.internt.comex.se>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.22) Gecko/20090606 SeaMonkey/1.1.17

joakim@comex.se wrote:
> 
> I’m using Openldap with TLS and CRL.
> My slapd.conf file has the line “TLSCRLCheck all”.

Are you using client certificates for authentication?

> When the CRL has expired the client is not allowed to
> make a TLS connection.

Well, that's how a relying party in a X.509 PKI is supposed to act. The
the CRL is expired a cert cannot be used (trusted).

> My question is whether it is possible to configure openldap to let the
> client connect to the server (possibly with a warning) even when the CRL
> has expired.

Don't use CRL checking if you don't want it have an effect.
Simply like that.

Ciao, Michael.

Follow-Ups:
- RE: CRL question
  - From: <joakim@comex.se>

References:
- CRL question
  - From: <joakim@comex.se>

Prev by Date: CRL question
Next by Date: Re: some thoughts about RDN
Index(es):
- Chronological
- Thread