[Date Prev][Date Next]
Re: CRL question
> I’m using Openldap with TLS and CRL.
> My slapd.conf file has the line “TLSCRLCheck all”.
Are you using client certificates for authentication?
> When the CRL has expired the client is not allowed to
> make a TLS connection.
Well, that's how a relying party in a X.509 PKI is supposed to act. The
the CRL is expired a cert cannot be used (trusted).
> My question is whether it is possible to configure openldap to let the
> client connect to the server (possibly with a warning) even when the CRL
> has expired.
Don't use CRL checking if you don't want it have an effect.
Simply like that.