[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CRL question



joakim@comex.se wrote:
>Michael Stroeder wrote: 
>> joakim@comex.se wrote:
>>> I'm using Openldap with TLS and CRL.
>>> My slapd.conf file has the line "TLSCRLCheck all".
>> Are you using client certificates for authentication?
> 
> Yes. 
> 
>>> When the CRL has expired the client is not allowed to
>>> make a TLS connection.
>> Well, that's how a relying party in a X.509 PKI is supposed to act. The
>> the CRL is expired a cert cannot be used (trusted).
>>
>>> My question is whether it is possible to configure openldap to let the
>>> client connect to the server (possibly with a warning) even when the CRL
>>> has expired.
>> Don't use CRL checking if you don't want it have an effect.
>> Simply like that.
> Thanks for the answer. Just wanted to get rid of denial of service
> when using TLS since CRLs only are valid for a relative short time.
> But I guess that's not possible then...

The term "denial of service" is usually used in the context of someone
attacking a system which is IMO not applicable in this context. I think
there are valid security reasons that CRLs have a fairly short validity
period. Otherwise the latency between revocation and enforcing the
revocation would be even longer. So you as admin are responsible for
updating the CRL in a timely manner. You should update it more often
than the validity period, not only right before expiration time.

Ciao, Michael.