imapd, TLS and CRLs
Wesley Craig
wes at umich.edu
Thu May 27 13:45:35 EDT 2010
Can you submit this to the Cyrus Bugzilla, please.
:wes
On 27 May 2010, at 13:04, Stacy Millions wrote:
> I have been working on deploying an imap server using EXTERNAL+TLS
> authentication. Everything is working fine and then I discover that
> there is no support CRLs in imapd; from my point of view this is a
> Bad Thing(tm).
>
> I searched the mailing list and found a discussion of this in
> 2005/02 with the final word being (I'll paraphrase) "sounds
> interesting, patches welcome."
>
> All right, the attached implements CRL checking via a 'tls_crl'
> option in imapd.conf. Just point it at a PEM encoded CRL file. The
> file can contain multiple CRLs if you have more than one CA you
> care about.
>
> What it doesn't do is:
> - implement crl_path
> - implement CRL checking in the TLS client code
>
> It also suffers from the fact that this code is ran at
> initialisation time. When the CRL expires you need to get a fresh
> CRL, you need to restart imapd; but this is the same behavior as
> Apache httpd and sendmail.
More information about the Info-cyrus
mailing list