[Dovecot] how to handle CA CRL updates with client certificate verification context ?
Timo Sirainen
tss at iki.fi
Fri Mar 13 23:17:28 EET 2009
On Fri, 2009-03-13 at 02:55 +0100, Raphael PRECIGOUT wrote:
> Hello,
>
> As far as I can read in the Dovecot SSL configuration wiki page, each CA
> cert must be followed by the related CA CRL in the client certificate
> verification context ("ssl_ca_file" setting). In my company we do have
> our own PKI and as soon as Client certificate is compromised we do
> revoke it and update the related CA's CRL.
> Does that mean that I have to issue a new "ssl_ca_file" file as soon as
> our issuing CA CRL is updated ? If yes, does someone has an idea on how
> to do so ?
I haven't bothered to read how CRLs work exactly, but I'd guess "yes".
This is all handled by OpenSSL library internally, so whatever
documentation you can find about other servers using OpenSSL probably
applies to Dovecot too.
> Is it then necessary to restart dovecot process (to take the
> "ssl_ca_file" file changes into account) ?
kill -HUP is enough.
> Does Dovecot have a way to check the issuing CA CRL automatically ? (the
> CRL is published in DER format and is accessible though http, the URI is
> mentionned in the CRL Distribution points of the CA certificate)
If OpenSSL doesn't do that automatically (probably not), then not
currently. I guess that might be a nice feature in future, but it's a
very low priority to me.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20090313/3338e751/attachment.bin
More information about the dovecot
mailing list