Inline CRL

[lucha]

Currently is possible to include inline files for the configuration options -ca, --cert, --dh, --extra-certs, --key, --pkcs12, --secret and --tls-auth. It seems to me that crl-verify is missing, and that it would be nice to be able to put also that file inline.

The certificate revocation list, while mainly used on the server side, is sometimes needed also on the client side. In that case, the possibility of inlining it makes possible to have a single file containing all the needed configuration and data, which makes it easier to distribute to the final user. (I guess this was the original motivation for allowing inlining of the other files).

[Samuli Seppänen]

I guess inlining has not been implemented because it's heavily geared towards server usage. I think having the list in a separate file or a directory makes it more maintainable in the long run. However, I guess that having the option to inline it would not hurt and would make things more consistent.

[Samuli Seppänen]

Discussed this issue in the Munich 2014 hackathon. Agreed that inlining CRLs is not particularly useful, becqause:

• CRLs tend to get updated
• It's easier to upgrade a CRL file than an entire config file

[Samuli Seppänen]

Cron2: can we close this? If not, I'll add a "volunteer" tag to this ticket.

[David Sommerseth]

This feature does not seem to be practical without a way how to distribute the CRLs.

CRLs usually have an expiry date. You can circumvent that by having an expiry date set far into the future, but that will not resolve anything related to certificates revoked since the last local update of the CRL. CRLs must be updated regularly to have an effect. And in-lining CRLs means updating configuration files; which scales poorly when you have more than a few handful users.

So closing this request.