Expired CRL contain valid information though not updated. As documented (http://xrootd.org/doc/dev45/sec_config.htm#_Toc464225463) CRLCheck=1 is expected to trigger an error is the loaded CRL is invalid for other reasons (for example if the signature verification fails), but accepts expired but otherwise valid CRLs, as CRLCheck=2 does. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/pull/467#issuecomment-282793193 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1