Thanks for the answer. Just wanted to get rid of denial of service when using TLS since CRLs only are valid for a relative short time. But I guess that's not possible then...
joakim@comex.se wrote:
I'm using Openldap with TLS and CRL. My slapd.conf file has the line "TLSCRLCheck all".
Are you using client certificates for authentication?
Yes.
When the CRL has expired the client is not allowed to make a TLS connection.
Well, that's how a relying party in a X.509 PKI is supposed to act. The the CRL is expired a cert cannot be used (trusted).
My question is whether it is possible to configure openldap to let the client connect to the server (possibly with a warning) even when the CRL has expired.
Don't use CRL checking if you don't want it have an effect. Simply like that.
Ciao, Michael.
###########################################
This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange. For more information, connect to http://www.f-secure.com/