How to use "Classic" CRL?

Christ Schlacta lists at aarcane.org
Wed Jan 11 20:55:08 CET 2012


well, every other application of the CA allows for simply retrieving the 
crl file and using it.  to use c_rehash, I have to connect to the radius 
server, retrieve not only the CRL file, but all the other files for 
c_rehash, then run c_rehash.

On 1/11/2012 01:01, Phil Mayers wrote:
> On 01/10/2012 08:31 PM, Christ Schlacta wrote:
>> Is it possible yet to configure freeradius TLS to use a classic CRL, as
>> in a single file that's downloaded from the authority every once in a
>> while that is a.. well, CRL, rather than a directory with hashed stuff
>> in it? I'm not in front of my fr right now, so I don't know the exact
>> terminology used in the config, but you know what I'm talking about.
>> This hashed folder of stuff makes it very difficult to maintain a CRL
>> with freeradius, because, at least in part, it adds an additional level
>> of complexity not present in every other openssl application.
>
> That's not entirely true. FreeRADIUS just uses the OpenSSL APIs, and 
> other OpenSSL applications use similar mechanisms.
>
> I'm also not sure why running the OpenSSL "c_rehash" command/script is 
> "very difficult" for you; can you explain?
>
> Anyway, the answer is no - FreeRADIUS does not offer any config option 
> to point to a single CRL file. For one thing, a CRL file limits you to 
> a single CA. CRL directories are the more general mechanism.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list