Steve Hoffman wrote:
I don't believe this is correct functionality. The "next update" field is not an expiration of the CRL, but more of an indicator that you, as the holder of the CRL, should obtain a new one. ...
I'd like to suggest removing this check.
Hi there
I think you're right Steve - but I'd not like to see that check disappear :-)
We're big users of PKI (well in my mind we are) and every product I've seen that supports CRLs treats it like stunnel today does. i.e. a CRL that is older than the "next update" field is treated as an error condition and access is refused until it is fixed.
However, some of those products did provide this feature as a flag. So you could basically ignore this issue if you wished. I for one 100% rely on it causing SSL-based products to refuse new connections until it is fixed. We have a 24 hour lifespan and all products looks for CRL updates every hour, so there should be no normal way that this causes a problem. However, if it did happen, it would imply something was majorly wrong and failing closed is the correct response.
... of course this does bring up an old question about stunnel's CRL support (see: "stunnel and expiring CRLs" ;-)