A customer does have certificates with 2 distribution points for crl, tl-ldap-certalias tool will revoke the cert if not both of those distribution points are accessible which is the wrong approach.
The logics need to be changed so that only first available CRL is good enough and not all distributions points.
Created attachment 475 [details]
Patch for fixing the logics of revocation
After some more in depth digging multiple distribution points are not automatically used as failover, here follows a summary of how i interpret the loosy standard.
A distribution point has an optional reasons field. If this field is omitted the distribution point should handle all reasons for revocations and by that a revocation lookup is valid by only check against the specific distribution point.
A distribution point can handle just a few specific revocation reasons and there can be more distribution points handling the rest of the reasons.
This means that we need to take care of this in following logic.
If a distribution point have no reasons field then its said that this distribution point should be used for all reasons and is enough for valid revocation check.
If distribution point have a reasons field we should fetch all other distribution points to make a complete revocation check against several CRL lists.
For more info see '184.108.40.206 CRL Distribution Points' in rfc3280: