[Dovecot] TLS X.509 CRLs

Matthias-Christian Ott ott at mirix.org
Fri May 18 19:58:56 EEST 2012


On Mon, 14 May 2012 18:37:37 +0300, Timo Sirainen <tss at iki.fi> wrote:
> On Sun, 2012-05-13 at 18:43 +0200, Matthias-Christian Ott wrote:
> 
> > according to the documentation file referenced by ssl_ca must
> > contain the Client certificate CA and the corresponding CRL. Thus
> > dovecot would have to receive SIGHUP to reload a new CRL. Did I
> > understand this correctly?
> 
> Yeah.

Thanks for the confirmation. I think this should suffice for my use case
(I control the CA, so I can immediately upload a new CRL once I have
revoked a certificate), but it doesn't sound practical if you have a
bigger deployment, there will be a delay between the revocation and the
update of the CRL on the mail servers. OCSP could solve this (though
X.509 in the current form is broken and it is not clear whether it is
worth the effort).

Regards,
Matthias-Christian



More information about the dovecot mailing list