Show all posts by user
Introduce yourselves
Page 1 of 1 Pages: 1
Results 1 - 6 of 6
Thanks for suggestion!
The more I search, the more I think that there is some kind of bug. Other people also are not able to get EID CRL working with nginx.
https://github.com/konstantint/eid-webauth-samples/blame/master/nginx/ssl-site#L11
by
instigater
-
Other discussion
I managed to build and test with version 1.11.4. It is mixed results. The good news is that it doesn't hang. The bad news is that CRL doesn't work and legit client certificate is being reject. The message is:
2016/09/28 18:40:44 4410#0: *1 client SSL certificate verify error: (3:unable to get certificate CRL) while reading client request headers, client: ....
by
instigater
-
Other discussion
Nothing while nginx is checking client certificate and I never waited long enough to nginx finish processing request (I managed to wait 100 minutes one time).
I can give you revoked user certificate (which is on the largest revocation list) to test in your environment.
by
instigater
-
Other discussion
Cannot replicate as using just one CRL gives me error 400.
Testing with openssl against largest CRL finishes in 2.2 seconds
$ time openssl verify -crl_check -CAfile ESTEID-SK_2011.pem -CRLfile esteid2011.crl.pem reinis-eid.pem
reinis-eid.pem: C = EE, O = ESTEID (DIGI-ID E-RESIDENT), OU = authentication, CN = "MIKELSONS,REINIS,39303280025", SN = MIKELSONS, GN = REINIS, serialNumbe
by
instigater
-
Other discussion
Hi,
I tried to implement Estonian ID card CRL. Unfortunately I failed with nginx version 1.8.0 and 1.10.1. Is it normal that nginx hang with 100% CPU usage for ar CRL size of 50 MB? I waited 100 minutes and it still had not finished processing one request. If/when nginx will support client sertificate revocation check over OCSP or is there some problem with large CRLs?
Here is the relevant co
by
instigater
-
Other discussion