On 09 Apr 2014, at 17.02, Michael Ströder <[email protected]> wrote:
> On Wed, 9 Apr 2014 09:38:29 -0400 David Arroyo <[email protected]> wrote >> This question may be better asked in the NSS mailing list. Feel >> free to let me know if that is the case. >> >> I'm building a service based around OpenLDAP and SASL EXTERNAL >> authentication using client certificates. One of requirements is >> that we have the ability to revoke client certificates. I've >> found that the only way to revoke a client certificate using an >> NSS-linked OpenLDAP (RHEL's default 2.4.23) is to: >> >> - Revoke the certificate >> - Import the CRL into the db referenced by >> olcTLSCACertificatePath >> - restart slapd >> >> Is there a way to update the CRL without restarting slapd? And >> is there any way to make slapd request the URL referenced in the >> client cert's nsCaRevocationUrl attribute? If the answer to this >> is "use OpenSSL", that's a fine answer. > > I'm also interested in CRL checking without having to reload a server > configuration. I'm using a custom OpenLDAP build linked against OpenSSL > though. > > Ciao, Michael. I think the answer is to link against OpenSSL because it supports CRL retrieval via HTTP and LDAP, and ultimately more convenient - OCSP. Certs which contain both CRL and OCSP information, a modern client should try OCSP first and then fall back to trying the CRL. Setting up an OCSP responder is the “modern” way to go. Think about it: if your CRL grows large, your client (in this case slapd) needs to fetch and parse it. OCSP checks are lightweight and happen in real-time. Of course, you should always HUP your OCSP responder when publishing a new CRL. NSS has a crazy arcane (even more arcane than OpenSSL) set of command line options for managing their certificate databases, and at the end of they day they are BDB - easily corrupted. -mike
