[Date Prev][Date Next]
Re: CRL verification in slapd
Ralf Haferkamp wrote:
As openssl-0.9.7* has some CRL checking capabilities, I am currently working
on implementing CRL checking in slapd.
Therefor I plan to add the following
directives to ldap.conf and slapd.conf:
I'd vote for TLS_CRLCHECK to keep it similar to style of constants in ldap.h
(see suggestions below).
And a options constant for ldap.h (similar to other constants there):
And how would the directives for the CRL file/directory be called? Or do you
plan to use the directory containing trusted root certs?
How about this:
You see, I'm most interested in the ldap.h constants since I'll be happily
add support for CRL checking in python-ldap. :-)
But it would directly map to directives in ldap.conf:
The possible values of these would be: (reflecting the possibilities, that
openssl-0.9.7d currently has)
"no" do not perform any CRL checks (this would be the default)
I'd vote for "none".
"yes" perform CRL checks
This only performs a revocation check on the end-entity cert? How about
calling this "peer" to make that very clear?
"all" perform CRL checks for a for whole chain
Ok for me.
Any comments or suggestings regarding this?
My suggestions for naming the constants in ldap.h: