-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
972e562
commit 79782a5
Showing
1 changed file
with
6 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,16 +1,17 @@ | ||
| #r509-validity-crl [](http://travis-ci.org/reaperhulk/r509-validity-crl) | ||
| This project is related to [r509](http://github.com/reaperhulk/r509) and [r509-ocsp-responder](http://github.com/reaperhulk/r509-ocsp-responder) projects. It allows certificate validity and revocation information to be read from a pre-generated CRL and used to populate OCSP responses. | ||
| #r509-validity-crl [](http://travis-ci.org/r509/r509-validity-crl) [](https://coveralls.io/r/r509/r509-validity-crl?branch=master) | ||
|
|
||
| This project is related to [r509](http://github.com/r509/r509) and [r509-ocsp-responder](http://github.com/r509/r509-ocsp-responder) projects. It allows certificate validity and revocation information to be read from a pre-generated CRL and used to populate OCSP responses. | ||
|
|
||
| ##Usage | ||
| Remove the redis-related lines of the [config.ru](https://github.com/reaperhulk/r509-ocsp-responder#set-up-configru) for r509-ocsp-responder and replace them with this: | ||
| Remove the redis-related lines of the [config.ru](https://github.com/r509/r509-ocsp-responder#set-up-configru) for r509-ocsp-responder and replace them with this: | ||
| ```ruby | ||
| require 'r509/validity/crl' | ||
| crl_paths = ['/path/to/crl','/path/to/crl2'] | ||
| reload_interval = '60m' | ||
| Dependo::Registry[:validity_checker] = R509::Validity::CRL::Checker.new(crl_paths,reload_interval) | ||
| ``` | ||
| * Each element in crl_paths is an absolute path to a CRL to load on the filesystem. You should load those via an external cronjob. | ||
| * The reload_interval defines the interval at which the checker will reload the CRL from the filesystem. By default it is 60m. | ||
| * Each element in crl\_paths is an absolute path to a CRL to load on the filesystem. You should load those via an external cronjob. | ||
| * The reload\_interval defines the interval at which the checker will reload the CRL from the filesystem. By default it is 60m. | ||
|
|
||
| ##Limitations | ||
| Due to the way CRLs work the responder can only operate in "known bad" mode. That is, the OCSP responder will respond *VALID* to all queries for certificates that are not explicitly revoked. This is in contrast to "known good" mode enabled by tracking all issuances with a plugin like [r509-validity-redis](http://github.com/sirsean/r509-validity-redis), which allows for *VALID*, *REVOKED*, and *UNKNOWN* responses. |