x509 patch for SSH

Roumen Petrov openssh at roumenpetrov.info
Sun Jan 20 01:50:35 EST 2008


Konstantin V. Gavrilenko wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Roumen,
>
> one last thing, what exactly does MandatoryCRL option sets?
>
> Since when it is set to no, the ssh_crl.pem does get checked whether the
> cert is revoked or not.
> However, when I set it to yes, I get the following error
> [SNIP]
>   
> Jan 17 14:46:12 pingo sshd[25026]: error: ssh_x509revoked_cb: unable to
> get issued CRL
> [SNIP]

When MandatoryCRL is no, check for revoked only if CRL is found in X.509 store.


When MandatoryCRL option is set and certificate attribute "CRL Distribution Point" is set, 

corresponding CRL must exist in X.506 store.


Roumen

-- 
Get X.509 certificates support in OpenSSH:
http://roumenpetrov.info/openssh/




More information about the openssh-unix-dev mailing list