imapd, TLS and CRLs
Stacy Millions
stacy at Millions.Ca
Thu May 27 13:04:53 EDT 2010
I have been working on deploying an imap server using EXTERNAL+TLS
authentication. Everything is working fine and then I discover that
there is no support CRLs in imapd; from my point of view this is a Bad
Thing(tm).
I searched the mailing list and found a discussion of this in 2005/02
with the final word being (I'll paraphrase) "sounds interesting, patches
welcome."
All right, the attached implements CRL checking via a 'tls_crl' option
in imapd.conf. Just point it at a PEM encoded CRL file. The file can
contain multiple CRLs if you have more than one CA you care about.
What it doesn't do is:
- implement crl_path
- implement CRL checking in the TLS client code
It also suffers from the fact that this code is ran at initialisation
time. When the CRL expires you need to get a fresh CRL, you need to
restart imapd; but this is the same behavior as Apache httpd and sendmail.
-stacy
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch-crl
Url: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20100527/bd97bbaf/attachment.ksh
More information about the Info-cyrus
mailing list