I am using the Windows LDAP client DLL (wldap32.dll) to connect to a remote LDAP server. The connection is done over TLS (LDAPS protocol over port 636).
My problem is with enabling CRL revocation. I have found that it's possible to set the schannel options for the LDAP session by using:
ldap_set_option(LDAP_OPT_SCH_FLAGS, &uLong);
so I attempted to pass the SCH_CRED_REVOCATION_CHECK_CHAIN option to the above call (prior to ldap_bind_s of course) but after inspecting the wireshark traffic, I see that the effect is that the client is requesting the OCSP status from the server, and that seems to fail (TLS handshake is aborted because no OCSP status is returned) However, the server certificate does contain a CDP and I want the client to use it to perform a revocation check via the pointed CRL, not via OCSP.
Is it just a limitation in schannel or am I doing something wrong?
Thanks
Amit
Found out the issue. Setting the schannel flag as mentioned above was actually the right thing to do, and it did make the Windows LDAP client perform the revocation check via the CRL.
However, I had difficulties verifying this because it kept using a cached copy, so I didn't see via wireshark the CRL actually being fetched from the CDP.
To resolve that, I found out that I can clear the local CRL cache by running the certutil.exe commands:
certutil -setreg chain\ChainCacheResyncFiletime @now
certutil -urlcache * delete
and then it was clear that CRL verification was being performed. (Both from the wireshark traffic and other tests...)