Konstantin V. Gavrilenko wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Roumen,
>
> one last thing, what exactly does MandatoryCRL option sets?
>
> Since when it is set to no, the ssh_crl.pem does get checked whether the
> cert is revoked or not.
> However, when I set it to yes, I get the following error
> [SNIP]
>
> Jan 17 14:46:12 pingo sshd[25026]: error: ssh_x509revoked_cb: unable to
> get issued CRL
> [SNIP]


When MandatoryCRL is no, check for revoked only if CRL is found in X.509 store.


When MandatoryCRL option is set and certificate attribute "CRL Distribution Point" is set,

corresponding CRL must exist in X.506 store.


Roumen

--
Get X.509 certificates support in OpenSSH:
http://roumenpetrov.info/openssh/


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev