Hi! Thanks for answereing; meanwhile I realized that it is not needed as we don't use GNU TLS, but still: Where in the docs is indicated that "it takes a *list*"? The docs talk about " Specifies a file containing a Certificate Revocation List". For me neither "a file", nor "a list" is plural.
Kind regards, Ulrich Windl > -----Original Message----- > From: Quanah Gibson-Mount <qua...@fast-mail.org> > Sent: Thursday, June 5, 2025 1:42 AM > To: Windl, Ulrich <u.wi...@ukr.de>; openldap-technical@openldap.org > Subject: [EXT] Re: Q: CRL handling for multiple CAs > > > > --On Tuesday, June 3, 2025 7:24 AM +0000 "Windl, Ulrich" <u.wi...@ukr.de> > wrote: > > > > > > > Hi! > > > > > > > > I have a question: > > > > olcTLSCRLFile is SINGLE-VALUE in OpenLDAP 2.5 > > You use a GnuTLS linked build of OpenLDAP? That seems unlikely? Also, it > takes a *list*. > > > olcTLSCRLFile: <filename> > Specifies a file containing a Certificate Revocation List to > be > used for verifying that certificates have not been revoked. > This > parameter is only valid when using GnuTLS. > > > If you're using OpenSSL linked OpenLDAP, then: > > olcTLSCRLCheck: <level> > Specifies if the Certificate Revocation List (CRL) of the > CA > should be used to verify if the client certificates have > not > been revoked. This requires olcTLSCACertificatePath parameter > to > be set. This parameter is ignored with GnuTLS. <level> can > be > specified as one of the following keywords: > > none No CRL checks are performed > > peer Check the CRL of the peer certificate > > all Check the CRL for a whole certificate chain > > > Regards, > Quanah > >
