Bruce Keats wrote: > I am having problems importing CRLs and managing CRLs within firefox. > In the linux version, the import button opens a window that allows me to > enter a file name for the CRL. The CRL is in PEM format is called > "root.crl". When I select OK, there are no error messages, how the CRL > is not imported.
Yeah, mozilla security error dialogs leave a lot to be desired https://bugzilla.mozilla.org/show_bug.cgi?id=107491 In this case, the CRL has to have been signed by a trusted CA. If the CA certs isn't already in your profile and marked trusted, the CRL import will fail. That's my guess about your experience. > On the Windows version, this functionality works OK. > However, if I remove the CRL then try and import a more up to date CRL, > I get an error. What version of NSS are you using? I vaguely (and perhaps erroneously) recall that there is (er, once was) a problem that occurs when your only CRL expires or is removed. The problem is that if NSS thinks you have (or had) a CRL for a CA, then NSS cannot thereafter verify any signatures without the CRL for that CA, INCLUDING the signatures on new CRLs. I think that was fixed in NSS 3.10 or 3.11, but my memory of this is pretty hazy. Perhaps MisterCRL will reply to this soon. > Is there a problem with the Linux version or am I doing something > wrong? Is there a build option I need to get this to work properly? > How about the windows version? What version is that? _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
