On 4/9/14, 7:56 AM, msk...@ansuz.sooke.bc.ca wrote: > My main question is: how do I get the Subversion command-line client to > read a CRL? The ssl-authority-files configuration setting lets me specify > my CA's root certificate in a file; is there a similar setting for the > CRL? I would prefer to distribute the CRL as a file (instead of a URL to > be checked automatically); is that possible? Or is it absolutely > necessary to post the CRL online somewhere and specify its URL in the root > certificate (which will require constructing a new root certificate and a > bunch of scripts to periodically re-issue and re-post the file). If it's > going to necessitate changes to the root certificate and frequent ongoing > maintenance, I might be better off just re-doing the entire public key > infrastructure from scratch, annoying as that will be. > > Note I am specifically asking about the Subversion command-line client > running under Linux. I already know how to configure Apache to read the > CRL on the server side. All I've been able to find online regarding > *client-side* Subversion CRL use is Windows-specific.
If you haven't seen it already we published a message on this over the weekend: https://mail-archives.apache.org/mod_mbox/subversion-announce/201404.mbox/%3C5349F1B7.1090306%40apache.org%3E Unfortunately I missed mentioning the state of Windows where it does fall back and support CRLs (see Bert's reply to your message). Unfortunately, the work around I had hoped last week would work for you ended up not working out. Primarily because OpenSSL needs a flag set to even support CRL checking at all and it's not set by default. Wish we had a better option for you. But it looks like starting with a fresh CA is probably your best option.
