Applications using HandshakeRole ServerWithClientAuth can optionally use a Certificate Revocation List (CRL) service. This service is provided by an LDAP server. The TTLSGskLdapParms statement is used to configure System SSL so that it can contact a CRL service. Connections used by System SSL to contact the CRL service should not fall under an enabled AT-TLS policy because these connections can be made before AT-TLS policy has been installed.