distinguish between revoked and expired certificates
Is it possible to distinguish between expired and revoked certificates and assign a special vlan in the first case while rejecting the user in the second one? As in both cases the certificate is invalid, I suppose the answer is no. The probably best way would be to organize the the renewal of certificates appropriately. With best regards, ________________________________ Norbert Wegener
On 09/07/2012 10:05 AM, Wegener, Norbert wrote:
Is it possible to distinguish between expired and revoked certificates and assign a special vlan in the first case while rejecting the user in the second one? As in both cases the certificate is invalid, I suppose the answer is no.
If it's even possible, I think this might need changes to the "verify" callback in the source code, as well as various SSL options setting. However, you might have a look at the code in HEAD that was added to send the TLS cert details to a virtual server for authorisation; if you were going to do it anywhere, that would be the place to do it.
Wegener, Norbert wrote:
Is it possible to distinguish between expired and revoked certificates and assign a special vlan in the first case while rejecting the user in the second one? As in both cases the certificate is invalid, I suppose the answer is no.
Both will cause Access-Reject. :)
The probably best way would be to organize the the renewal of certificates appropriately.
Yes. And that can be hard. Alan DeKok.
participants (3)
-
Alan DeKok -
Phil Mayers -
Wegener, Norbert