Rick Macklem wrote on 2020/03/19 03:09:
Miroslav Lachman wrote:
[...]
NFS (or any other server) should check list of revoked certificates too.
Otherwise you will not be able to deny access to user which you no
longer want to have an access.
Yes, good point.
I won't claim to understand this stuff, but from what I can see, all that is
done is the CRL is appended to the CAfile (the one with the CA certificates
are in being used for certificate verification via
SSL__CTX_load_verify_locations().
(https://raymii.org/s/articles/OpenSSL_manually_verify_a_certificate_against_a_CRL.html
shows a CAfile and CRLfile being concatenated and then used to verify a
certificate.)
There is code in sendmail that loads a CRL file separately, but it seems to
just put it in the X509 store returned by SSL_CTX_get_cert_store(), which
is the one where the CAfile certificates are stored via
SSL_CTX_load_verify_locations(),
I think?
(It just seems easier to append it to CAfile than do this. The sendmail code
uses
poorly documented functions where the man page says
"SSL_CTX_load_verify_locations()" normally takes care of this.)
Does this sound right? rick
I think it would be better to have it in a separate file as Apache does
https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationfile
Seems more convenient to have CA file write protected (read only) and
then separate file for list of revoked client certificates, maybe
somewhere else than CA certificate.
Kind regards
Miroslav Lachman
_______________________________________________
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
