imapd, TLS and CRLs
stacy at Millions.Ca
Thu May 27 13:04:53 EDT 2010
I have been working on deploying an imap server using EXTERNAL+TLS
authentication. Everything is working fine and then I discover that
there is no support CRLs in imapd; from my point of view this is a Bad
I searched the mailing list and found a discussion of this in 2005/02
with the final word being (I'll paraphrase) "sounds interesting, patches
All right, the attached implements CRL checking via a 'tls_crl' option
in imapd.conf. Just point it at a PEM encoded CRL file. The file can
contain multiple CRLs if you have more than one CA you care about.
What it doesn't do is:
- implement crl_path
- implement CRL checking in the TLS client code
It also suffers from the fact that this code is ran at initialisation
time. When the CRL expires you need to get a fresh CRL, you need to
restart imapd; but this is the same behavior as Apache httpd and sendmail.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
More information about the Info-cyrus