joakim@comex.se wrote:
Michael Stroeder wrote:
joakim@comex.se wrote:
I'm using Openldap with TLS and CRL. My slapd.conf file has the line "TLSCRLCheck all".
Are you using client certificates for authentication?
Yes.
When the CRL has expired the client is not allowed to make a TLS connection.
Well, that's how a relying party in a X.509 PKI is supposed to act. The the CRL is expired a cert cannot be used (trusted).
My question is whether it is possible to configure openldap to let the client connect to the server (possibly with a warning) even when the CRL has expired.
Don't use CRL checking if you don't want it have an effect. Simply like that.
Thanks for the answer. Just wanted to get rid of denial of service when using TLS since CRLs only are valid for a relative short time. But I guess that's not possible then...
The term "denial of service" is usually used in the context of someone attacking a system which is IMO not applicable in this context. I think there are valid security reasons that CRLs have a fairly short validity period. Otherwise the latency between revocation and enforcing the revocation would be even longer. So you as admin are responsible for updating the CRL in a timely manner. You should update it more often than the validity period, not only right before expiration time.
Ciao, Michael.