Hi,
I'm using Openldap with TLS and CRL. My slapd.conf file has the line "TLSCRLCheck all". When the CRL has expired the client is not allowed to make a TLS connection.
My question is whether it is possible to configure openldap to let the client connect to the server (possibly with a warning) even when the CRL has expired. Does anyone know if that is possible?
/Jocke
###########################################
This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange. For more information, connect to http://www.f-secure.com/
joakim@comex.se wrote:
I’m using Openldap with TLS and CRL. My slapd.conf file has the line “TLSCRLCheck all”.
Are you using client certificates for authentication?
When the CRL has expired the client is not allowed to make a TLS connection.
Well, that's how a relying party in a X.509 PKI is supposed to act. The the CRL is expired a cert cannot be used (trusted).
My question is whether it is possible to configure openldap to let the client connect to the server (possibly with a warning) even when the CRL has expired.
Don't use CRL checking if you don't want it have an effect. Simply like that.
Ciao, Michael.
Thanks for the answer. Just wanted to get rid of denial of service when using TLS since CRLs only are valid for a relative short time. But I guess that's not possible then...
joakim@comex.se wrote:
I'm using Openldap with TLS and CRL. My slapd.conf file has the line "TLSCRLCheck all".
Are you using client certificates for authentication?
Yes.
When the CRL has expired the client is not allowed to make a TLS connection.
Well, that's how a relying party in a X.509 PKI is supposed to act. The the CRL is expired a cert cannot be used (trusted).
My question is whether it is possible to configure openldap to let the client connect to the server (possibly with a warning) even when the CRL has expired.
Don't use CRL checking if you don't want it have an effect. Simply like that.
Ciao, Michael.
###########################################
This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange. For more information, connect to http://www.f-secure.com/
joakim@comex.se wrote:
Michael Stroeder wrote:
joakim@comex.se wrote:
I'm using Openldap with TLS and CRL. My slapd.conf file has the line "TLSCRLCheck all".
Are you using client certificates for authentication?
Yes.
When the CRL has expired the client is not allowed to make a TLS connection.
Well, that's how a relying party in a X.509 PKI is supposed to act. The the CRL is expired a cert cannot be used (trusted).
My question is whether it is possible to configure openldap to let the client connect to the server (possibly with a warning) even when the CRL has expired.
Don't use CRL checking if you don't want it have an effect. Simply like that.
Thanks for the answer. Just wanted to get rid of denial of service when using TLS since CRLs only are valid for a relative short time. But I guess that's not possible then...
The term "denial of service" is usually used in the context of someone attacking a system which is IMO not applicable in this context. I think there are valid security reasons that CRLs have a fairly short validity period. Otherwise the latency between revocation and enforcing the revocation would be even longer. So you as admin are responsible for updating the CRL in a timely manner. You should update it more often than the validity period, not only right before expiration time.
Ciao, Michael.
openldap-technical@openldap.org
-
joakim@comex.se -
Michael Ströder