Re: CRLs on Linux

[Berry van Sleeuwen]

When I created my own certificates I only had CRL's. Today we use company 
certificates and they too use CRL's but the signing certificate also has OCSP 
configured in the certificate.

Regardless if it's using CRLs or OCSP, obviously when that server is not 
available it might be a problem. I think it depends on the application, your 
application might be configured to validate the certificate. I didn't really 
check what the options are within Linux, our Linux servers use certificates but 
the clients are mostly Windows users.

My Bluezone can be configured to check for certificate revocation but I have 
set it to not check the certificate status. I don't know for sure if that was 
the default or that I had set it this way myself.

Met vriendelijke groet/With kind regards/Mit freundlichen Grüßen,
Berry van Sleeuwen
Flight Forum 3000 5657 EW Eindhoven

-Original Message-
From: Linux on 390 Port  On Behalf Of Phil Smith III
Sent: Monday, 8 January 2024 21:33
To: LINUX-390@VM.MARIST.EDU
Subject: Re: CRLs on Linux

Caution: External email. Do not open attachments or click links, unless this 
email comes from a known sender and you know the content is safe.


I asked this quite a while ago (last June!) and nobody responded. Whether 
that's because nobody knows or because (I now realize) I might not have asked 
it very well is unclear, so here I am asking again.



Do people use CRLs on Linux?



My understanding is that CRLs are mostly a Windows thing, but that some stacks 
on other platforms do support them. For example, I saw something (not verified) 
suggesting that if you fetch the CRL lists manually, cURL will validate the CDP 
info. That's certainly not as integrated as on Windows-which is arguably not a 
bad thing.



IOW, on Windows, "of course" they work; but if they still mostly (I think) 
don't work on Linux et al., are people even bothering? I suspect not. Plus they 
add latency, and possible failure. On Windows we see users who renew a 
certificate and the new one has CDP info in it, and suddenly something doesn't 
work because the server they're testing it on is internal and can't get to the 
CRL server. Since they had no expectation that it would even try, this is a 
surprise and a problem. Our solution was to make it disable-able (by the 
developer, not the end-user), which seems to sort of miss the point of having 
CRLs in the first place, but what other choice is there? And  yes, that's a 
separate and quite different question!




--
For LINUX-390 subscribe / signoff / archive access instructions, send email to 
lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www2.marist.edu/htbin/wlvindex?LINUX-390

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www2.marist.edu/htbin/wlvindex?LINUX-390

Re: CRLs on Linux

[Phil Smith III]

I asked this quite a while ago (last June!) and nobody responded. Whether 
that's because nobody knows or because (I now realize) I might not have asked 
it very well is unclear, so here I am asking again.

 

Do people use CRLs on Linux? 

 

My understanding is that CRLs are mostly a Windows thing, but that some stacks 
on other platforms do support them. For example, I saw something (not verified) 
suggesting that if you fetch the CRL lists manually, cURL will validate the CDP 
info. That's certainly not as integrated as on Windows-which is arguably not a 
bad thing.

 

IOW, on Windows, "of course" they work; but if they still mostly (I think) 
don't work on Linux et al., are people even bothering? I suspect not. Plus they 
add latency, and possible failure. On Windows we see users who renew a 
certificate and the new one has CDP info in it, and suddenly something doesn't 
work because the server they're testing it on is internal and can't get to the 
CRL server. Since they had no expectation that it would even try, this is a 
surprise and a problem. Our solution was to make it disable-able (by the 
developer, not the end-user), which seems to sort of miss the point of having 
CRLs in the first place, but what other choice is there? And  yes, that's a 
separate and quite different question!

 


--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www2.marist.edu/htbin/wlvindex?LINUX-390

CRLs on Linux

[Phil Smith III]

Do people use CRLs on Linux? I have some information (not verified) that if you 
fetch the CRL lists manually, curl will use the information. That's certainly 
not as integrated as on Windows-which is arguably not a bad thing. On Windows 
we see users who renew a certificate and the new one has CDP info in it, and 
suddenly something doesn't work because the server they're using it on is 
internal and can't get to the CRL server. Since they had no expectation that it 
would even try, this is a surprise and a problem.

 

What, if anything, do y'all know about this?

 

Thanks,

...phsiii


--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www2.marist.edu/htbin/wlvindex?LINUX-390