[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: About CRLs support (evolution request) (ITS#2617)

> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
> emmanuel.duru@atosorigin.com

> Full_Name: Emmanuel Duru
> Version: 2.2.0 alpha
> OS: Solaris 8
> URL:
> Submission from: (NULL) (

> Is it possible (maybe in a next release) to support CRLs ?
> By CRLs support, I mean that when performing strong
> authentication of a client
> (TLS/SSL with client certificate), the server should check
> that the certificate
> provided by the client is not in a CRL. Provided OpenSSL is
> able to manage CRLs
> (which should be the case), there should be a mean to set a
> CRL file in OpenLDAP
> configuration, which would pass it to OpenSSL.

We have discussed this issue in other forums before. Current releases of
OpenSSL (0.9.6, 0.9.7) do not provide any special functions for checking a
CRL. There are library functions in OpenSSL 0.9.8 to handle CRLs, but it will
be a while before 0.9.8 is released. If you'd like to submit a patch that
adds CRL support using OpenSSL 0.9.6-7, please do. Apache's mod_ssl provides
an implementation that you could examine for guidance. Whether or not you can
cut and paste the code directly into an OpenLDAP patch depends on the
Apache/mod_ssl license, of course.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support