When I created my own certificates I only had CRL's. Today we use company
certificates and they too use CRL's but the signing certificate also has OCSP
configured in the certificate.
Regardless if it's using CRLs or OCSP, obviously when that server is not
available it might be a problem. I think it depends on the application, your
application might be configured to validate the certificate. I didn't really
check what the options are within Linux, our Linux servers use certificates but
the clients are mostly Windows users.
My Bluezone can be configured to check for certificate revocation but I have
set it to not check the certificate status. I don't know for sure if that was
the default or that I had set it this way myself.
Met vriendelijke groet/With kind regards/Mit freundlichen Grüßen,
Berry van Sleeuwen
Flight Forum 3000 5657 EW Eindhoven
-Original Message-
From: Linux on 390 Port On Behalf Of Phil Smith III
Sent: Monday, 8 January 2024 21:33
To: LINUX-390@VM.MARIST.EDU
Subject: Re: CRLs on Linux
Caution: External email. Do not open attachments or click links, unless this
email comes from a known sender and you know the content is safe.
I asked this quite a while ago (last June!) and nobody responded. Whether
that's because nobody knows or because (I now realize) I might not have asked
it very well is unclear, so here I am asking again.
Do people use CRLs on Linux?
My understanding is that CRLs are mostly a Windows thing, but that some stacks
on other platforms do support them. For example, I saw something (not verified)
suggesting that if you fetch the CRL lists manually, cURL will validate the CDP
info. That's certainly not as integrated as on Windows-which is arguably not a
bad thing.
IOW, on Windows, "of course" they work; but if they still mostly (I think)
don't work on Linux et al., are people even bothering? I suspect not. Plus they
add latency, and possible failure. On Windows we see users who renew a
certificate and the new one has CDP info in it, and suddenly something doesn't
work because the server they're testing it on is internal and can't get to the
CRL server. Since they had no expectation that it would even try, this is a
surprise and a problem. Our solution was to make it disable-able (by the
developer, not the end-user), which seems to sort of miss the point of having
CRLs in the first place, but what other choice is there? And yes, that's a
separate and quite different question!
--
For LINUX-390 subscribe / signoff / archive access instructions, send email to
lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www2.marist.edu/htbin/wlvindex?LINUX-390
--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www2.marist.edu/htbin/wlvindex?LINUX-390