I am using OpenLDAP 2.3.39. I have enabled CRL checking by including "TLSCRLCheck peer" in my slapd.conf file. I am having a problem when CRLs expire. I find that, after retrieving an updated CRL, I must restart slapd in order for it to be used. This seems to be true whether using TLSCACertificateFile or TLSCACertificatePath. Is this expected? Is there any way to update CRLs (or certificates, for that matter) without recycling slapd?
Thanks in advance, Matt
I think this was discussed on the list (probably as part of 2.4 TLS enhancements), but I don't recall the outcome.
My first evil idea, though, would be to try to kick your TLS config using back-config...hopefully that rehashes everything?
On Wed, 5 Dec 2007, Matt Kelley wrote:
I am using OpenLDAP 2.3.39. I have enabled CRL checking by including "TLSCRLCheck peer" in my slapd.conf file. I am having a problem when CRLs expire. I find that, after retrieving an updated CRL, I must restart slapd in order for it to be used. This seems to be true whether using TLSCACertificateFile or TLSCACertificatePath. Is this expected? Is there any way to update CRLs (or certificates, for that matter) without recycling slapd?
Thanks in advance, Matt
On Dec 5, 2007, at 2:10 PM, Matt Kelley wrote:
I am using OpenLDAP 2.3.39. I have enabled CRL checking by including "TLSCRLCheck peer" in my slapd.conf file. I am having a problem when CRLs expire. I find that, after retrieving an updated CRL, I must restart slapd in order for it to be used. This seems to be true whether using TLSCACertificateFile or TLSCACertificatePath. Is this expected? Is there any way to update CRLs (or certificates, for that matter) without recycling slapd?
Yes, if you're willing to modify OpenSSL. The modification is small, and you could just link the modified .o file along with the standard libraries, as long as you don't get too far out of synch with releases.
We aren't that desperate at my site, though. We will need to restart the server for a new CRL to take effect. But we won't need to do this to survive CRL expiration, because I modified tls.c:tls_verify_cb() to support expired CRLs. The expired CRL still works, and in practice we don't often modify the CRL in a way that matters to anyone.
For more on the OpenSSL part of this, see http://rt.openssl.org/Ticket/Display.html?id=1424&user=guest&pass=gu...
Donn Cave, donn@u.washington.edu
*** libraries/libldap/tls.c.orig Fri Aug 31 16:13:56 2007 --- libraries/libldap/tls.c Wed Dec 5 16:35:23 2007 *************** *** 2544,2549 **** --- 2544,2553 ---- "TLS certificate verification: Error, %s\n", certerr, 0, 0 ); } + if ( !ok && errnum == X509_V_ERR_CRL_HAS_EXPIRED ) { + ok = 1; + X509_STORE_CTX_set_error( ctx, 0 ); + } if ( sname ) CRYPTO_free ( sname ); if ( iname )
openldap-software@openldap.org