Joseph Bruni writes:
> -- call "curl" or "wget" to retrieve the CRL
> -- use "openssl crl -nextupdate ..." to extract the update time
> -- call "at" to schedule itself to run again in the future.
Here are some other things that would be worth taking into consideration.
In downloaded crl's:
Look for CRLv2 sequence numbers -- don't go backwards
[See RFC 3280 5.2.3 CRL Number -- does openssl understand this?
probably not]
Look for downloaded "next update" that's _earlier_ than on the CRL you're
replacing (this happened to us -- it's a very bad thing)
next update -
schedule your next fetch at some reasonable time period before
"next update". Schedule the fetch to repeat until it gets something
new [see above sanity checks] , at some reasonable interval. I suggest
you take startfetch = (now + nextupdate)/2 and then do some kind of
exponential check as nextupdate gets close. Provide an optional warning
message about this.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
