[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: About CRLs support (evolution request) (ITS#2617)
> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
> emmanuel.duru@atosorigin.com
> Full_Name: Emmanuel Duru
> Version: 2.2.0 alpha
> OS: Solaris 8
> URL:
> Submission from: (NULL) (195.68.44.148)
> Is it possible (maybe in a next release) to support CRLs ?
> By CRLs support, I mean that when performing strong
> authentication of a client
> (TLS/SSL with client certificate), the server should check
> that the certificate
> provided by the client is not in a CRL. Provided OpenSSL is
> able to manage CRLs
> (which should be the case), there should be a mean to set a
> CRL file in OpenLDAP
> configuration, which would pass it to OpenSSL.
We have discussed this issue in other forums before. Current releases of
OpenSSL (0.9.6, 0.9.7) do not provide any special functions for checking a
CRL. There are library functions in OpenSSL 0.9.8 to handle CRLs, but it will
be a while before 0.9.8 is released. If you'd like to submit a patch that
adds CRL support using OpenSSL 0.9.6-7, please do. Apache's mod_ssl provides
an implementation that you could examine for guidance. Whether or not you can
cut and paste the code directly into an OpenLDAP patch depends on the
Apache/mod_ssl license, of course.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support