Re: failover config: servers with same DNS address and TLS, subjectAltName extension

On Jul 26, 2007, at 1:28 AM, Ralf Haferkamp wrote: [... re CRL checks ...] > They should work with 0.9.7d. IIRC that was the version I used when > implementing CRL support. Right. > Note: As stated in the man-pages (ldap.conf(5) and slapd.conf(5)), when you > want to use CRLs you have to specify a CACERTDIR. That directory has to be > correctly hashed (using c_rehash). I don't use CACERTDIR, I put the CRL in the CA certificate.

That works, but there's a maintenance problem. Our CRLs expire, fairly quickly, and that breaks certificate verification, so once we have a CRL, we have to keep it up to date whether we care about it or not. There doesn't seem to be any way to reload a CRL (OpenSSL bug 1424, Nov 8 2006), so we have to restart slapd for each update. Does the CACERTDIR approach avoid this problem?