On 02/07/13 20:07, Gert Doering wrote: > Out of curiousity, as I've seen this mentioned a few times but never > read a reason for the hash-thing - how does openvpn (or apache, etc.) > know the hash for the CRL file to look for, when it hasn't seen the > CRL yet? gert
All CRL support requires your servers to download the CRL via some schedule. Most parse the CA or server cert (which should contain either LDAP or HTTP urls to the CRL files) and download the CRL file at some interval < the lifetime of the CRL. *Then* you'd hash it, etc. We have openvpn and client-cert protected web servers all over the place, all downloading CRL files every hour from the CA. The CA itself re-makes the CRL every hour, but with a 24 hour lifespan, which means we can take several hours of outages on any CRL component before our servers start rejecting valid connections... (you gotta think that part through - otherwise you will get burnt) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
