Hi!
I have a question: olcTLSCRLFile is SINGLE-VALUE in OpenLDAP 2.5
When I have different Sub-Cas (say one issuing host certificates, while another issues user certificates) I can handle only one CRL file obviously. Can this scenario be handled in OpenLDAP 2.5 (maybe like concatenating multiple CRLs)?
What if the restriction SINGLE-VALUE is dropped? What about the idea adding a second token to olcTLSCRLFile that specifies a regex that must match the certificates subject to use that CRL?
Kind regards, Ulrich Windl
--On Tuesday, June 3, 2025 7:24 AM +0000 "Windl, Ulrich" u.windl@ukr.de wrote:
Hi!
I have a question:
olcTLSCRLFile is SINGLE-VALUE in OpenLDAP 2.5
You use a GnuTLS linked build of OpenLDAP? That seems unlikely? Also, it takes a *list*.
olcTLSCRLFile: <filename> Specifies a file containing a Certificate Revocation List to be used for verifying that certificates have not been revoked. This parameter is only valid when using GnuTLS.
If you're using OpenSSL linked OpenLDAP, then:
olcTLSCRLCheck: <level> Specifies if the Certificate Revocation List (CRL) of the CA should be used to verify if the client certificates have not been revoked. This requires olcTLSCACertificatePath parameter to be set. This parameter is ignored with GnuTLS. <level> can be specified as one of the following keywords:
none No CRL checks are performed
peer Check the CRL of the peer certificate
all Check the CRL for a whole certificate chain
Regards, Quanah
Hi!
Thanks for answereing; meanwhile I realized that it is not needed as we don't use GNU TLS, but still: Where in the docs is indicated that "it takes a *list*"? The docs talk about " Specifies a file containing a Certificate Revocation List". For me neither "a file", nor "a list" is plural.
Kind regards, Ulrich Windl
-----Original Message----- From: Quanah Gibson-Mount quanah@fast-mail.org Sent: Thursday, June 5, 2025 1:42 AM To: Windl, Ulrich u.windl@ukr.de; openldap-technical@openldap.org Subject: [EXT] Re: Q: CRL handling for multiple CAs
--On Tuesday, June 3, 2025 7:24 AM +0000 "Windl, Ulrich" u.windl@ukr.de wrote:
Hi!
I have a question:
olcTLSCRLFile is SINGLE-VALUE in OpenLDAP 2.5
You use a GnuTLS linked build of OpenLDAP? That seems unlikely? Also, it takes a *list*.
olcTLSCRLFile: <filename> Specifies a file containing a Certificate Revocation List tobe used for verifying that certificates have not been revoked. This parameter is only valid when using GnuTLS.
If you're using OpenSSL linked OpenLDAP, then:
olcTLSCRLCheck: <level> Specifies if the Certificate Revocation List (CRL) of theCA should be used to verify if the client certificates have not been revoked. This requires olcTLSCACertificatePath parameter to be set. This parameter is ignored with GnuTLS. <level> can be specified as one of the following keywords:
none No CRL checks are performed peer Check the CRL of the peer certificate all Check the CRL for a whole certificate chainRegards, Quanah
openldap-technical@openldap.org
-
Quanah Gibson-Mount -
Windl, Ulrich