Re: CRL verification in slapd

[Michael Ströder <michael@stroeder.com>]

Ralf Haferkamp wrote:
> As openssl-0.9.7* has some CRL checking capabilities, I am currently working 
> on implementing CRL checking in slapd.

Great news!

> Therefor I plan to add the following 
> directives to ldap.conf and slapd.conf:
>
> ldap.conf:
> TLS_CRL_CHECK

I'd vote for TLS_CRLCHECK to keep it similar to style of constants in ldap.h 
(see suggestions below).

> slapd.conf:
> TLSCRLCheck

And a options constant for ldap.h (similar to other constants there):

LDAP_OPT_X_TLS_CRLCHECK

And how would the directives for the CRL file/directory be called? Or do you 
plan to use the directory containing trusted root certs?

How about this:

LDAP_OPT_X_TLS_CRLFILE
LDAP_OPT_X_TLS_CRLDIR

You see, I'm most interested in the ldap.h constants since I'll be happily 
add support for CRL checking in python-ldap. :-)

But it would directly map to directives in ldap.conf:
TLS_CRLFILE
TLS_CRLDIR

For slapd.conf:
TLSCRLFile
TLSCRLDir

> The possible values of these would be: (reflecting the possibilities, that 
> openssl-0.9.7d currently has)
>
> "no"	do not perform any CRL checks (this would be the default)

I'd vote for "none".

> "yes"   perform CRL checks

This only performs a revocation check on the end-entity cert? How about 
calling this "peer" to make that very clear?

> "all"   perform CRL checks for a for whole chain

Ok for me.

> Any comments or suggestings regarding this?

My suggestions for naming the constants in ldap.h:

LDAP_OPT_X_TLS_CRLCHECK_NONE
LDAP_OPT_X_TLS_CRLCHECK_PEER
LDAP_OPT_X_TLS_CRLCHECK_ALL

Ciao, Michael.