Welcome! Log In Create A New Profile

Advanced

Re: How are client certificate expired CRLs handled?

Maxim Dounin
November 26, 2015 08:30AM
Hello!

On Wed, Nov 25, 2015 at 11:58:19PM -0500, DankMemes wrote:

> If any of the concatenated CRLs in the file provided to ssl_crl have expired
> (root or intermediate), what is the Nginx behavior (assuming
> ssl_verify_client is on)? Does it result in failing verification of the
> client certificate (chain), or does it just log a warning, or nothing
> happens? If it does fail verification, how can I detect that specific
> problems and still perform the rest of verification (valid certificate which
> itself has not expired and chain of trust can be established to the
> verification depth) (the CA I'm using to generate the CRLs is on the same
> server, so it's not a problem if it's actually expired -- though a warning
> message would be nice as a reminder to the admin).

CRLs are just loaded by nginx from a file specified by the ssl_crl
directive, and no additional checks are made.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

How are client certificate expired CRLs handled?

DankMemes November 25, 2015 11:58PM

Re: How are client certificate expired CRLs handled?

Maxim Dounin November 26, 2015 08:30AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 193
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready