I've run into an interesting situation and need some advice. I'm building a server that will be validating clients via certs. So, I've coded this to handle CRLs, but I've encountered that if a CRL has "expired" no certificates related to that CA are considered valid. I'm not sure this a good way to go because I don't want to shut down communications just because of a CRL that hasn't been updated. The certificates that had been revoked are still revoked!
I thought about testing the CRL before loading it, but then that means anyone can connect with a cert. that has been revoked. The other approach would be to set the "nextUpdate" field of the CRL farther into the future. Any suggestions on this? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
