[stunnel-users] crl next update field functionality seems incorrect

Jason Haar Jason.Haar at trimble.co.nz
Wed Feb 4 02:27:52 CET 2009


Steve Hoffman wrote:
>
> I don't believe this is correct functionality.  The "next update" field is not an expiration of the CRL, but more of an indicator that you, as the holder of the CRL, should obtain a new one.
> ...
>
> I'd like to suggest removing this check.
>
>   
Hi there

I think you're right Steve - but I'd not like to see that check
disappear :-)

We're big users of PKI (well in my mind we are) and every product I've
seen that supports CRLs treats it like stunnel today does. i.e. a CRL
that is older than the "next update" field is treated as an error
condition and access is refused until it is fixed.

However, some of those products did provide this feature as a flag. So
you could basically ignore this issue if you wished. I for one 100% rely
on it causing SSL-based products to refuse new connections until it is
fixed. We have a 24 hour lifespan and all products looks for CRL updates
every hour, so there should be no normal way that this causes a problem.
However, if it did happen, it would imply something was majorly wrong
and failing closed is the correct response.

... of course this does bring up an old question about stunnel's CRL
support (see: "stunnel and expiring CRLs" ;-)

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the stunnel-users mailing list