[gnutls-help] CRL revoked certs ignored
Victorian Spirit
gnutls+etherape at kernelbug.org
Sun Apr 19 11:38:54 CEST 2015
Dear all,
I'm trying to get slapd (compiled against libgnutls) working with CRL checking.
So i created a CRL via certtool based on a cert i want to revoke.
In slapd i used 'TLSCRLFile' this seems to be ignored.
To make sure gnutls is not the issue i tested CRL via gnutls-cli / gnutls-serv
Server:
gnutls-serv --x509keyfile=clients/lrc-ldap.key \
--x509certfile=clients/lrc-ldap.crt \
--x509crlfile=crl.pem \
--x509cafile=ca-cert.pem --echo
client:
gnutls-cli --x509cafile=../ca-cert.pem lrc-ldap -p5556 \
--x509certfile=lrc-ldapsearch.crt \
--x509crlfile=../crl.pem
The client certificate is revoked and the CRL is verified with success,
certtool --generate-crl --load-ca-privkey=ca-key.pem --load-ca-certificate=ca-cert.pem --outfile=crl.pem
certtool --verify-crl --load-ca-certificate ca-cert.pem < crl.pem
Still the client can establish a connection.
I hope i didn't miss something obvious but i'm working on this for two days already
and i'm completely stuck.
Many thanks,
Etherape
More information about the Gnutls-help
mailing list