'Re: A new CRL processing'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: A new CRL processing
From:       vince technical address <vince.technicaladdress () gmail ! com>
Date:       2014-10-29 17:10:20
Message-ID: CAPsjXrm0pmYCT5jFQQ-edUMGtgsM3k12ifpy_q-O96hPHNQWWQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


The objective is to check for certificate revocation using CRL, directly
and simply distributed by the PKI without making any script (preprocessing of
the CRL and another for revocation checking).

So i understand that it is not so simple (except with OCSP)

Thank you.

2014-10-29 17:16 GMT+01:00 Arran Cudbard-Bell <a.cudbardb@freeradius.org>:

>
> > On 29 Oct 2014, at 11:25, Alan DeKok <aland@deployingradius.com> wrote:
> >
> > vincent viard wrote:
> >> I just want to know if the following statement is always true:
> >>
> >> "You will still need to restart FreeRADIUS after downloading a new CRL"
> >
> >  OpenSSL doesn't allow for the dynamic reloading of CRLs.
> >
> >  If your CRLs change often, use OCSP.
>
> Or perform validation using the exposed cert fields. There's no reason why
> you couldn't use an SQL or LDAP directory to check certificate validity.
>
> Arran Cudbard-Bell <a.cudbardb@freeradius.org>
> FreeRADIUS development team
>
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

[Attachment #5 (text/html)]

<div dir="ltr"><div><span id="result_box" class="" lang="en"><span class="">The \
objective is to</span> <span class=""></span></span><span id="result_box" class="" \
lang="en"><span class=""><span class="">check f</span><span class="">or</span><span \
class=""> cert</span><span class="">ifi</span><span class="">cat</span><span \
class="">e revocation u</span><span class="">sin</span><span class="">g C</span><span \
class="">RL, </span></span></span><span id="result_box" class="" lang="en"><span \
class=""><span id="result_box" class="" lang="en"><span class="">directly and \
simply</span> </span></span><span class="">distributed by</span> <span \
class="">the</span> <span class="">PKI</span> <span class="">without making</span> \
<span class="">any  </span><span class="">script</span> <span \
class="">(preprocessing</span> <span class="">of the</span> <span class="">CRL</span> \
<span class="">and</span> <span class="">another for</span> <span class="">revocation \
checking</span><span>).</span></span><span class=""><br>  <br></span></div>   <div \
id="gt-res-content" class=""><div dir="ltr" style="zoom:1"><span id="result_box" \
class="" lang="en"><span class="">So i</span> <span class="">understand that it \
is</span> <span class="">not so simple (except with \
OCSP)<br><br></span></span></div><div style><span id="result_box" class="" \
lang="en"><span class="">Thank you.<br></span></span></div></div></div><div \
class="gmail_extra"><br><div class="gmail_quote">2014-10-29 17:16 GMT+01:00 Arran \
Cudbard-Bell <span dir="ltr">&lt;<a href="mailto:a.cudbardb@freeradius.org" \
target="_blank">a.cudbardb@freeradius.org</a>&gt;</span>:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><span class=""><br> &gt; On 29 Oct 2014, at 11:25, Alan DeKok \
&lt;<a href="mailto:aland@deployingradius.com">aland@deployingradius.com</a>&gt; \
wrote:<br> &gt;<br>
&gt; vincent viard wrote:<br>
&gt;&gt; I just want to know if the following statement is always true:<br>
&gt;&gt;<br>
&gt;&gt; &quot;You will still need to restart FreeRADIUS after downloading a new \
CRL&quot;<br> &gt;<br>
&gt;   OpenSSL doesn&#39;t allow for the dynamic reloading of CRLs.<br>
&gt;<br>
&gt;   If your CRLs change often, use OCSP.<br>
<br>
</span>Or perform validation using the exposed cert fields. There&#39;s no reason \
why<br> you couldn&#39;t use an SQL or LDAP directory to check certificate \
validity.<br> <br>
Arran Cudbard-Bell &lt;<a \
href="mailto:a.cudbardb@freeradius.org">a.cudbardb@freeradius.org</a>&gt;<br> \
FreeRADIUS development team<br> <br>
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2<br>
<div class="HOEnZb"><div class="h5"><br>
-<br>
List info/subscribe/unsubscribe? See <a \
href="http://www.freeradius.org/list/users.html" \
target="_blank">http://www.freeradius.org/list/users.html</a><br> \
</div></div></blockquote></div><br></div>



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic