[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CRL question

joakim@comex.se wrote:
> I’m using Openldap with TLS and CRL.
> My slapd.conf file has the line “TLSCRLCheck all”.

Are you using client certificates for authentication?

> When the CRL has expired the client is not allowed to
> make a TLS connection.

Well, that's how a relying party in a X.509 PKI is supposed to act. The
the CRL is expired a cert cannot be used (trusted).

> My question is whether it is possible to configure openldap to let the
> client connect to the server (possibly with a warning) even when the CRL
> has expired.

Don't use CRL checking if you don't want it have an effect.
Simply like that.

Ciao, Michael.