From 1baceedb871dde35585f12e6785232b3d6d47cde Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 5 Jul 2023 15:50:32 +1200 Subject: [PATCH] =?UTF-8?q?krb5:=20Clarify=20documentation=20for=20?= =?UTF-8?q?=E2=80=98pkinit=5Frevoke=E2=80=99=20parameter?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If multiple valid CRLs are specified for a particular issuer, only the first will be checked. The documentation didn’t really hint at this. Signed-off-by: Joseph Sutton --- lib/krb5/krb5.conf.5 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5 index 2f5c30d12..271a0d455 100644 --- a/lib/krb5/krb5.conf.5 +++ b/lib/krb5/krb5.conf.5 @@ -185,6 +185,7 @@ anchors for PKINIT KDC certificates. .It Li pkinit_revoke = Va HX509-STORE ... This is a multi-valued parameter naming one or more stores of CRLs for the issuers of PKINIT KDC certificates. +Only the first valid CRL for a particular issuer will be checked. If no CRLs are configured, then CRLs will not be checked. This is because hx509 currently lacks support. .El @@ -905,6 +906,7 @@ type stores are OpenSSL-style CA certificate hash directories. .It Li pkinit_revoke = Va HX509-STORE ... This is a multi-valued parameter naming one or more stores of CRLs for the issuers of PKINIT client certificates. +Only the first valid CRL for a particular issuer will be checked. If no CRLs are configured, then CRLs will not be checked. This is because the KDC will not dereference CRL distribution points nor request OCSP responses.