[Date Prev][Date Next]
Re: CRL verification in slapd
On Wednesday 27 October 2004 11:32, Michael Ströder wrote:
> Ralf Haferkamp wrote:
> > ldap.conf:
> > TLS_CRL_CHECK
> I'd vote for TLS_CRLCHECK to keep it similar to style of constants in
> ldap.h (see suggestions below).
Yes, TLS_CRLCHECK is probably more consistant.
> > slapd.conf:
> > TLSCRLCheck
> And a options constant for ldap.h (similar to other constants there):
Yes I already implemented them, just forgot to mention that here.
> And how would the directives for the CRL file/directory be called? Or do
> you plan to use the directory containing trusted root certs?
That is how the current implementation in openssl works. I did not yet find a
simple way to provide a seperate location for CRLs. But I am still
researching on that.
> > The possible values of these would be: (reflecting the possibilities,
> > that openssl-0.9.7d currently has)
> > "no" do not perform any CRL checks (this would be the default)
> I'd vote for "none".
> > "yes" perform CRL checks
> This only performs a revocation check on the end-entity cert? How about
> calling this "peer" to make that very clear?
> > "all" perform CRL checks for a for whole chain
> Ok for me.
> > Any comments or suggestings regarding this?
> My suggestions for naming the constants in ldap.h:
I'll consider your suggestions, they seem to make sense.
SUSE LINUX AG, Maxfeldstrasse 5, D-90409 Nuernberg
F: +49-911-74053575 - Ralf.Haferkamp@suse.com