This optional flag parameter specifies if Delta Certificate
Revocation List must be checked for revoked certificates in addition to
base CRL. It is used with TLS-based EAP types, such as TLS, TTLS, and
PEAP, that have been configured to check client certificates. Currently
delta CRL files are loaded with EAPTLS_CRLFile
parameter, similar to base CRL files.
CAUTION
EAPTLS_CRLCheckUseDeltas is
currently experimental.
Before enabling
EAPTLS_CRLCheckUseDeltas, note the following
requirements and restrictions:
EAPTLS_CRLCheck must be enabled in Radiator
configuration- Both base and delta CRLs must use CRL v2 format
- Do not use delta CRL files without enabling
EAPTLS_CRLCheckUseDeltas
- OpenSSL indicates only one delta CRL file can be used
- Review OpenSSL notes about delta CRLs on OpenSSL manual page for
X509_VERIFY_PARAM_set_flags.
- Test that your base and delta CRL work when CRL files are updated
or refreshed
Please contact Radiator support about success or possible
problems there might be with delta CRLs.
