Can you submit this to the Cyrus Bugzilla, please. :wes On 27 May 2010, at 13:04, Stacy Millions wrote: > I have been working on deploying an imap server using EXTERNAL+TLS > authentication. Everything is working fine and then I discover that > there is no support CRLs in imapd; from my point of view this is a > Bad Thing(tm). > > I searched the mailing list and found a discussion of this in > 2005/02 with the final word being (I'll paraphrase) "sounds > interesting, patches welcome." > > All right, the attached implements CRL checking via a 'tls_crl' > option in imapd.conf. Just point it at a PEM encoded CRL file. The > file can contain multiple CRLs if you have more than one CA you > care about. > > What it doesn't do is: > - implement crl_path > - implement CRL checking in the TLS client code > > It also suffers from the fact that this code is ran at > initialisation time. When the CRL expires you need to get a fresh > CRL, you need to restart imapd; but this is the same behavior as > Apache httpd and sendmail. ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
