[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: failover config: servers with same DNS address and TLS, subjectAltName extension

Am Do 26 Jul 2007 18:39:22 CEST schrieb Donn Cave <donn@u.washington.edu>:

On Jul 26, 2007, at 1:28 AM, Ralf Haferkamp wrote:

[... re CRL checks ...]

They should work with 0.9.7d. IIRC that was the version I used when
implementing CRL support.


Note: As stated in the man-pages (ldap.conf(5) and slapd.conf(5)), when you
want to use CRLs you have to specify a CACERTDIR. That directory has to be
correctly hashed (using c_rehash).

I don't use CACERTDIR, I put the CRL in the CA certificate.
Ah, ok that should work as well.

That works, but there's a maintenance problem.  Our CRLs expire, fairly
quickly, and that breaks certificate verification, so once we have a CRL,
we have to keep it up to date whether we care about it or not.  There
doesn't seem to be any way to reload a CRL (OpenSSL bug 1424, Nov 8 2006),
so we have to restart slapd for each update.  Does the CACERTDIR approach
avoid this problem?
No, unfortunately not.