[Dovecot] TLS X.509 CRLs
Hi,
according to the documentation file referenced by ssl_ca must contain the Client certificate CA and the corresponding CRL. Thus dovecot would have to receive SIGHUP to reload a new CRL. Did I understand this correctly?
Regards, Matthias-Christian
On Sun, 2012-05-13 at 18:43 +0200, Matthias-Christian Ott wrote:
according to the documentation file referenced by ssl_ca must contain the Client certificate CA and the corresponding CRL. Thus dovecot would have to receive SIGHUP to reload a new CRL. Did I understand this correctly?
Yeah.
On Mon, 14 May 2012 18:37:37 +0300, Timo Sirainen <tss@iki.fi> wrote:
On Sun, 2012-05-13 at 18:43 +0200, Matthias-Christian Ott wrote:
according to the documentation file referenced by ssl_ca must contain the Client certificate CA and the corresponding CRL. Thus dovecot would have to receive SIGHUP to reload a new CRL. Did I understand this correctly?
Yeah.
Thanks for the confirmation. I think this should suffice for my use case (I control the CA, so I can immediately upload a new CRL once I have revoked a certificate), but it doesn't sound practical if you have a bigger deployment, there will be a delay between the revocation and the update of the CRL on the mail servers. OCSP could solve this (though X.509 in the current form is broken and it is not clear whether it is worth the effort).
Regards, Matthias-Christian
participants (2)
-
Matthias-Christian Ott
-
Timo Sirainen