imapd, TLS and CRLs

Stacy Millions stacy at Millions.Ca
Thu May 27 13:04:53 EDT 2010

I have been working on deploying an imap server using EXTERNAL+TLS 
authentication. Everything is working fine and then I discover that 
there is no support CRLs in imapd; from my point of view this is a Bad 

I searched the mailing list and found a discussion of this in 2005/02 
with the final word being (I'll paraphrase) "sounds interesting, patches 

All right, the attached implements CRL checking via a 'tls_crl' option 
in imapd.conf. Just point it at a PEM encoded CRL file. The file can 
contain multiple CRLs if you have more than one CA you care about.

What it doesn't do is:
- implement crl_path
- implement CRL checking in the TLS client code

It also suffers from the fact that this code is ran at initialisation 
time. When the CRL expires you need to get a fresh CRL, you need to 
restart imapd; but this is the same behavior as Apache httpd and sendmail.


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch-crl

More information about the Info-cyrus mailing list