Hi,
I'm trying to get slapd (compiled against libgnutls) working with CRL checking.
So i created a CRL via certtool based on a cert i want to revoke.
In slapd i used 'TLSCRLFile' this seems to be ignored.
To make sure gnutls is not the issue i tested CRL via gnutls-cli / gnutls-serv
Server:
gnutls-serv --x509keyfile=clients/lrc-ldap.key \
--x509certfile=clients/lrc-ldap.crt \
--x509crlfile=crl.pem \
--x509cafile=ca-cert.pem --echo
client:
gnutls-cli --x509cafile=../ca-cert.pem lrc-ldap -p5556 \
--x509certfile=lrc-ldapsearch.crt \
--x509crlfile=../crl.pem
The client certificate is revoked and the CRL is verified with success,
certtool --generate-crl --load-ca-privkey=ca-key.pem \
--load-ca-certificate=ca-cert.pem \
--load-certificate lrc-ldap_client.gnutls.crt \
--outfile=crl.pem
certtool --verify-crl --load-ca-certificate ca-cert.pem < crl.pem
Positive feedback from verification:
Revoked certificates (1):
Serial Number (hex): 5532d6b135699b27
Revoked at: Sat Apr 18 22:23:44 UTC 2015
Still the client can establish a connection.
I hope i didn't miss something obvious but i'm working on this for two days already
and i'm completely stuck.
gnutls version: 3.3.8-6
slapd version: 2.4.40-4
Many thanks