<div dir="ltr"><div><span id="result_box" class="" lang="en"><span class="">The objective is to</span> <span class=""></span></span><span id="result_box" class="" lang="en"><span class=""><span class="">check f</span><span class="">or</span><span class=""> cert</span><span class="">ifi</span><span class="">cat</span><span class="">e revocation u</span><span class="">sin</span><span class="">g C</span><span class="">RL, </span></span></span><span id="result_box" class="" lang="en"><span class=""><span id="result_box" class="" lang="en"><span class="">directly and simply</span> </span></span><span class="">distributed by</span> <span class="">the</span> <span class="">PKI</span> <span class="">without making</span> <span class="">any </span><span class="">script</span> <span class="">(preprocessing</span> <span class="">of the</span> <span class="">CRL</span> <span class="">and</span> <span class="">another for</span> <span class="">revocation checking</span><span>).</span></span><span class=""><br> <br></span></div> <div id="gt-res-content" class=""><div dir="ltr" style="zoom:1"><span id="result_box" class="" lang="en"><span class="">So i</span> <span class="">understand that it is</span> <span class="">not so simple (except with OCSP)<br><br></span></span></div><div style><span id="result_box" class="" lang="en"><span class="">Thank you.<br></span></span></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2014-10-29 17:16 GMT+01:00 Arran Cudbard-Bell <span dir="ltr"><<a href="mailto:a.cudbardb@freeradius.org" target="_blank">a.cudbardb@freeradius.org</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
> On 29 Oct 2014, at 11:25, Alan DeKok <<a href="mailto:aland@deployingradius.com">aland@deployingradius.com</a>> wrote:<br>
><br>
> vincent viard wrote:<br>
>> I just want to know if the following statement is always true:<br>
>><br>
>> "You will still need to restart FreeRADIUS after downloading a new CRL"<br>
><br>
> OpenSSL doesn't allow for the dynamic reloading of CRLs.<br>
><br>
> If your CRLs change often, use OCSP.<br>
<br>
</span>Or perform validation using the exposed cert fields. There's no reason why<br>
you couldn't use an SQL or LDAP directory to check certificate validity.<br>
<br>
Arran Cudbard-Bell <<a href="mailto:a.cudbardb@freeradius.org">a.cudbardb@freeradius.org</a>><br>
FreeRADIUS development team<br>
<br>
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2<br>
<div class="HOEnZb"><div class="h5"><br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br></div>