Index: tl-ldap-certalias =================================================================== --- tl-ldap-certalias (revision 27175) +++ tl-ldap-certalias (working copy) @@ -636,23 +636,28 @@ # implement OCSP support. # + crl = None for uri in cert["crl"]: + + # for now we only support http distribution points if not uri.startswith("http"): continue crl = find_crl(uri) - if crl is None: - return (False, "Unable to retrieve CRL at %s" % uri) + if crl is not None: + break - if crl["serials"].has_key(cert["serial"]): - vprint("Certificate revoked by CRL list at %s" % uri) - return (False, "Certificate has been revoked by CA") + # failed to get CRL, lets try next distribution point + vprint("Failed to download CRL list at %s, trying next distribution point" % uri) + + # check if certificate is revoked + if crl is not None and crl["serials"].has_key(cert["serial"]): + vprint("Certificate revoked by CRL list at %s" % uri) + return (False, "Certificate has been revoked by CA") - # We've passed expiration/validation dates, CA verification, CRL - # checks. It's OK. - return (True, "Certificate OK") + def usage(): print "Usage: tl-ldap-certalias [options]" print "Options:"