Displaying 1 result from an estimated 1 matches for "x509_v_err_crl_has_expired".
2013 Apr 07
1
ssl_require_crl does not work as expected
.... I did not find a solution
neither
in the wiki nor somewhere else, so I finally started to read the source.
My impression is that openssl will always try to use CRLs. If
"ssl_require_crl = no"
dovecot will use CRLs but tries to ignore openssl error codes
X509_V_ERR_UNABLE_TO_GET_CRL and X509_V_ERR_CRL_HAS_EXPIRED.
This is done in ssl_verify_client_cert() in ssl-proxy-openssl.c line 871,
namely
i_info("proxy=%d, require_crl=%d, error=%d",
proxy->client_proxy, proxy->set->ssl_require_crl, ctx->error
);
if (proxy->client_proxy && !proxy->set->ssl_require_crl &am...