A new CRL processing

vince technical address vince.technicaladdress at gmail.com
Wed Oct 29 18:10:20 CET 2014


The objective is to check for certificate revocation using CRL, directly
and simply distributed by the PKI without making any script (preprocessing of
the CRL and another for revocation checking).

So i understand that it is not so simple (except with OCSP)

Thank you.

2014-10-29 17:16 GMT+01:00 Arran Cudbard-Bell <a.cudbardb at freeradius.org>:

>
> > On 29 Oct 2014, at 11:25, Alan DeKok <aland at deployingradius.com> wrote:
> >
> > vincent viard wrote:
> >> I just want to know if the following statement is always true:
> >>
> >> "You will still need to restart FreeRADIUS after downloading a new CRL"
> >
> >  OpenSSL doesn't allow for the dynamic reloading of CRLs.
> >
> >  If your CRLs change often, use OCSP.
>
> Or perform validation using the exposed cert fields. There's no reason why
> you couldn't use an SQL or LDAP directory to check certificate validity.
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS development team
>
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141029/86d5966b/attachment.html>


More information about the Freeradius-Users mailing list