S/MIME certificates with LDAP-only CRL uri

Alexander Grahn a.grahn at web.de
Thu Feb 23 18:37:30 CET 2023


On Thu, Feb 23, 2023 at 04:09:31PM +0100, Werner Koch wrote:
> On Thu, 23 Feb 2023 11:22, Alexander Grahn said:
> > Should an ldap host answer on ping requests in general? Because the one in
>
> Pinging arbitrary servers does often work because too many admins tend
> to block ICMP echo.  An LDAP server is commonly behind some load
> balancer and thus a ping won't help you anyway.
>
> > question, ldap.dgnservice.de, remains silent. I tried with other hosts picked
>
> Works for me.
>
> $ dirmngr --debug network --fetch-crl  'ldap://ldap.dgnservice.de:389/CN=CRL-1,O=DGN%20Service%20GmbH,C=DE?certificateRevocationList?base?objectClass=cRLDistributionPoint'
>
> dirmngr[27784.0]: dirmngr_ldap[27786]: found attribute 'certificateRevocationList;binary'
> dirmngr[27784.0]: update times of this CRL: this=20230222T230000 next=20230324T230000
> dirmngr[27784.0]: locating CRL issuer certificate by authorityKeyIdentifier
> dirmngr[27784.0]: DBG: find_cert_bysubject: certificate not in cache
> dirmngr[27784.0]: DBG: get_cert_local_ski called w/o context
>
> Thus it could read the CRL (see the update times) but for verification a
> certificate is missing.  That is a problem with the fetch-crl command of
> dirmngr.  I will closer at the problem and thus I need to improve the
> error reporting.

Thank your for your reply. Does it mean that the problem is to be solved on the
GnuPG end?

Alexander



More information about the Gnupg-users mailing list