> If I'm not mistaken, two checks are done : > - Issuer CRL check first > - Subject CRL check
That's not strictly the case. The handler evaluates every certificate in the chain provided by the client. In the simple case of chain length 2, then it's equivalent to what you said, but it could involve more or fewer depending on the certificate (chain) provided by the client. > My problem is that issuer CRL is only available through a LDAP query... and > it seems that CRL cannot be checked when they are provided by LDAP directory That's correct. I only provided support for HTTP URIs since I didn't have a use case for any other scheme. If you want ldap support, please open an improvement issue at https://issues.jasig.org/browse/CAS and I'll investigate. As a workaround, you could create a process that periodically pulls the CRL and publishes it to a location accessible via HTTP, then use ResourceCRLRevocationChecker at one or more fixed URLs. Note this component can support multiple CRLs at multiple URLs if you have different issuers. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
