[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: failover config: servers with same DNS address and TLS, subjectAltName extension

To: Ralf Haferkamp <rhafer@suse.de>
Subject: Re: failover config: servers with same DNS address and TLS, subjectAltName extension
From: Donn Cave <donn@u.washington.edu>
Date: Thu, 26 Jul 2007 09:39:22 -0700
Cc: openldap-software@openldap.org
In-reply-to: <200707261028.11083.rhafer@suse.de>
References: <1i1rwhd.17rpclx1jh9hw8M%manu@netbsd.org> <200707261028.11083.rhafer@suse.de>

On Jul 26, 2007, at 1:28 AM, Ralf Haferkamp wrote:

[... re CRL checks ...]

They should work with 0.9.7d. IIRC that was the version I used when
implementing CRL support.


Right.

Note: As stated in the man-pages (ldap.conf(5) and slapd.conf(5)), when you want to use CRLs you have to specify a CACERTDIR. That directory has to be correctly hashed (using c_rehash).


I don't use CACERTDIR, I put the CRL in the CA certificate.

That works, but there's a maintenance problem. Our CRLs expire, fairly quickly, and that breaks certificate verification, so once we have a CRL, we have to keep it up to date whether we care about it or not. There doesn't seem to be any way to reload a CRL (OpenSSL bug 1424, Nov 8 2006), so we have to restart slapd for each update. Does the CACERTDIR approach avoid this problem?

	Donn Cave, donn@u.washington.edu

Follow-Ups:
- Re: failover config: servers with same DNS address and TLS, subjectAltName extension
  - From: Ralf Haferkamp <rhafer@suse.de>

References:
- Re: failover config: servers with same DNS address and TLS, subjectAltName extension
  - From: manu@netbsd.org (Emmanuel Dreyfus)
- Re: failover config: servers with same DNS address and TLS, subjectAltName extension
  - From: Ralf Haferkamp <rhafer@suse.de>

Prev by Date: Help needed to analyze the output of ldapwhoami - reg.
Next by Date: Re: failover config: servers with same DNS address and TLS, subjectAltName extension
Index(es):
- Chronological
- Thread