Re: CRL verification in slapd

[Ralf Haferkamp <rhafer@suse.de>]

On Wednesday 27 October 2004 11:32, Michael Ströder wrote:
> Ralf Haferkamp wrote:
[..]
> > ldap.conf:
> > TLS_CRL_CHECK
>
> I'd vote for TLS_CRLCHECK to keep it similar to style of constants in
> ldap.h (see suggestions below).
Yes, TLS_CRLCHECK is probably more consistant.

> > slapd.conf:
> > TLSCRLCheck
>
> And a options constant for ldap.h (similar to other constants there):
>
> LDAP_OPT_X_TLS_CRLCHECK
Yes I already implemented them, just forgot to mention that here. 

> And how would the directives for the CRL file/directory be called? Or do
> you plan to use the directory containing trusted root certs?

That is how the current implementation in openssl works. I did not yet find a 
simple way to provide a seperate location for CRLs. But I am still 
researching on that.

[..]
> > The possible values of these would be: (reflecting the possibilities,
> > that openssl-0.9.7d currently has)
> >
> > "no"	do not perform any CRL checks (this would be the default)
>
> I'd vote for "none".
>
> > "yes"   perform CRL checks
>
> This only performs a revocation check on the end-entity cert? How about
> calling this "peer" to make that very clear?
>
> > "all"   perform CRL checks for a for whole chain
>
> Ok for me.
>
> > Any comments or suggestings regarding this?
>
> My suggestions for naming the constants in ldap.h:
>
> LDAP_OPT_X_TLS_CRLCHECK_NONE
> LDAP_OPT_X_TLS_CRLCHECK_PEER
> LDAP_OPT_X_TLS_CRLCHECK_ALL
I'll consider your suggestions, they seem to make sense.

-- 
Ralf Haferkamp
SUSE LINUX AG, Maxfeldstrasse 5, D-90409 Nuernberg
T: +49-911-74053-0
F: +49-911-74053575 - Ralf.Haferkamp@suse.com