[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: CRL question

To: <michael@stroeder.com>
Subject: RE: CRL question
From: <joakim@comex.se>
Date: Wed, 10 Jun 2009 13:16:23 +0200
Cc: openldap-technical@openldap.org
Content-class: urn:content-classes:message
In-reply-to: <4A2F73DA.1070200@stroeder.com>
Keywords: disclaimer
Thread-index: AcnpqLjyHDHTVKngT6qbddB4qT41sQAB6tTA
Thread-topic: CRL question

Thanks for the answer. Just wanted to get rid of denial of service when using TLS since CRLs only are valid for a relative short time. But I guess that's not possible then... 

>joakim@comex.se wrote:
>> 
>> I'm using Openldap with TLS and CRL.
>> My slapd.conf file has the line "TLSCRLCheck all".
>
>Are you using client certificates for authentication?

Yes. 

>> When the CRL has expired the client is not allowed to
>> make a TLS connection.
>
>Well, that's how a relying party in a X.509 PKI is supposed to act. The
>the CRL is expired a cert cannot be used (trusted).
>
>> My question is whether it is possible to configure openldap to let the
>> client connect to the server (possibly with a warning) even when the CRL
>> has expired.
>
>Don't use CRL checking if you don't want it have an effect.
>Simply like that.
>
>Ciao, Michael.
###########################################

This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
For more information, connect to http://www.f-secure.com/

Follow-Ups:
- Re: CRL question
  - From: Michael Ströder <michael@stroeder.com>

References:
- Re: CRL question
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: some thoughts about RDN
Next by Date: Re: CRL question
Index(es):
- Chronological
- Thread