Peter, Thanks for sharing. However, I disagree on a few points. OpenSSL does have some CRL handling capability. Please refer to O'REILLY OpenSSL book as well as x509_verify_cert() source code.
Lincoln --- Peter Sylvester <[EMAIL PROTECTED]> wrote: > > > > I am not sure Apache actually has this capability > at > > all. Local CRLs are used in OpenSSL's > > x509_verify_cert() function, and since it doesn't > > involve network download, it is handled by > OpenSSL. > > There is no functionality of CRL in mod_ssl or > openssl. > OpenSSL allows to extract programmatically the > value, > i.e. the URI. > > Maintaining a cache of CRL can be considered as out > of > scope for openssl... BUT, the new codes for > 'store'... > > > CDP extension may, at the option of the CA, be > either > > critical or non-critical. However, the Internet > > Certificate and CRL profile (RFC 2459) > > recommends that this extension be marked > non-critical, > > meaning implementation can choose to ignore this > > extension. > it's RFC 3280. The wording is a little bit more > difficult, > but since it is difficult to detect what 'support' > means. > > > For every client certificate, if the application > > downloads CRLs from the CDPs indicated in > > the certificate, it may be a lot of overhead in > terms > > of delay and processing. Some CRLs are very long > (can > > go up to a few Mbytes of data), making downloading > > > CRL per SSL connection unbearable. > Indeed. And it conflicts with the basic assumption > that > a relying party can make reasonable decisions with > an > immediate online access to the CA databases etc (if > not, > you would'nt need these kinds certs at all.) > > > Therefore, I don't know whether Apache does this > at > > all. If you have a different opinion, please share > it. > What different opinion? That you don't know?? :-) > > > > I am wanting to get CRL Distribution Points > working > > > within my client certs. > > > > > > Using Apache I am able to get certificate > revocation > > > working using the SSLCARevocationFile directive > > > (using a local file). > > > > > > Using a http://www.webserver.com/crlfile.crl > within > > > the cert (CRL Distribution Point) it doesn't > work. > > > I have put the crl on a remote web server. > Watching > > > the logs on the remote server I do not see the > crl > > > being accessed. > > > > > > Any troubleshooting tips? > > > > > > Does the browser go out and access the crl? or > does > > > the server? > > A browser can go to look in the DP to check the CRL > of the issuer of the server cert. That's not an > issue > for OpenSSL. > > A Apache server with mod_ssl server may want to know > the CRLs > for the clients certs that it accepts. > > The server has to be configured with the CA certs of > CA for which it accepts client certs. In many cases > CRLs for these certs are in fixed locations, thus > it may be advisable to download them once per day > in a totally independant procedure that does not > only downloads the CRL from time to time, it also > validates them for good signature and validity > before > giving the best known to the server. > > But very often the application behind also has a > mechanism of authorisation control, thus, instead > of revoking a cert it *may* be easier to reject the > access in you priv management infrastructure. But > not always. > > ______________________________________________________________________ > OpenSSL Project > http://www.openssl.org > User Support Mailing List > [EMAIL PROTECTED] > Automated List Manager > [EMAIL PROTECTED] > __________________________________ Do you Yahoo!? Jazz up your holiday email with celebrity designs. Learn more. http://celebrity.mail.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
