[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CRL expiration

On Dec 5, 2007, at 2:10 PM, Matt Kelley wrote:

I am using OpenLDAP 2.3.39.  I have enabled CRL checking by including
"TLSCRLCheck peer" in my slapd.conf file.  I am having a problem when
CRLs expire.  I find that, after retrieving an updated CRL, I must
restart slapd in order for it to be used.  This seems to be true
whether using TLSCACertificateFile or TLSCACertificatePath.  Is this
expected?  Is there any way to update CRLs (or certificates, for that
matter) without recycling slapd?

Yes, if you're willing to modify OpenSSL. The modification is small, and you could just link the modified .o file along with the standard libraries, as long as you don't get too far out of synch with releases.

We aren't that desperate at my site, though.  We will need to restart
the server for a new CRL to take effect.  But we won't need to do this
to survive CRL expiration, because I modified tls.c:tls_verify_cb()
to support expired CRLs.  The expired CRL still works, and in practice
we don't often modify the CRL in a way that matters to anyone.

For more on the OpenSSL part of this, see

	Donn Cave, donn@u.washington.edu

*** libraries/libldap/tls.c.orig        Fri Aug 31 16:13:56 2007
--- libraries/libldap/tls.c     Wed Dec  5 16:35:23 2007
*** 2544,2549 ****
--- 2544,2553 ----
                        "TLS certificate verification: Error, %s\n",
                        certerr, 0, 0 );
+       if ( !ok && errnum == X509_V_ERR_CRL_HAS_EXPIRED ) {
+               ok = 1;
+               X509_STORE_CTX_set_error( ctx, 0 );
+       }
        if ( sname )
                CRYPTO_free ( sname );
        if ( iname )