Hello! On Wed, Nov 25, 2015 at 11:58:19PM -0500, DankMemes wrote:
> If any of the concatenated CRLs in the file provided to ssl_crl have expired > (root or intermediate), what is the Nginx behavior (assuming > ssl_verify_client is on)? Does it result in failing verification of the > client certificate (chain), or does it just log a warning, or nothing > happens? If it does fail verification, how can I detect that specific > problems and still perform the rest of verification (valid certificate which > itself has not expired and chain of trust can be established to the > verification depth) (the CA I'm using to generate the CRLs is on the same > server, so it's not a problem if it's actually expired -- though a warning > message would be nice as a reminder to the admin). CRLs are just loaded by nginx from a file specified by the ssl_crl directive, and no additional checks are made. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
