Mike Jackson wrote:
I think the answer is to link against OpenSSL because it supports CRL retrieval via HTTP and LDAP, and ultimately more convenient - OCSP. Certs which contain both CRL and OCSP information, a modern client should try OCSP first and then fall back to trying the CRL.
OCSP is fine, but considering we're talking about OpenLDAP here, the most convenient thing for slapd is for OpenSSL to retrieve its CRL using LDAP. Which means you can just store the CRL as an entry in slapd and OpenSSL will do the right thing.
Setting up an OCSP responder is the “modern” way to go. Think about it: if your CRL grows large, your client (in this case slapd) needs to fetch and parse it. OCSP checks are lightweight and happen in real-time. Of course, you should always HUP your OCSP responder when publishing a new CRL. NSS has a crazy arcane (even more arcane than OpenSSL) set of command line options for managing their certificate databases, and at the end of they day they are BDB - easily corrupted.
Sigh. NSS is over-engineered where it doesn't matter, and under-designed everywhere else - i.e., actual usability.
-mike
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/