[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Checking client certificates against CRLs

Mike Jackson wrote:
I think the answer is to link against OpenSSL because it supports CRL
retrieval via HTTP and LDAP, and ultimately more convenient - OCSP. Certs
which contain both CRL and OCSP information, a modern client should try OCSP
first and then fall back to trying the CRL.

OCSP is fine, but considering we're talking about OpenLDAP here, the most convenient thing for slapd is for OpenSSL to retrieve its CRL using LDAP. Which means you can just store the CRL as an entry in slapd and OpenSSL will do the right thing.

Setting up an OCSP responder is the “modern” way to go. Think about it: if
your CRL grows large, your client (in this case slapd) needs to fetch and
parse it. OCSP checks are lightweight and happen in real-time. Of course, you
should always HUP your OCSP responder when publishing a new CRL.

NSS has a crazy arcane (even more arcane than OpenSSL) set of command line
options for managing their certificate databases, and at the end of they day
they are BDB - easily corrupted.

Sigh. NSS is over-engineered where it doesn't matter, and under-designed everywhere else - i.e., actual usability.


  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/