Hi There: On January 22, 2009 01:41:18 pm Miroslav Kratochvil wrote: > Hello, > > I've been trying to find any usuable and complete documentation about > CRL checking and several other things, but I failed, so I'm asking > here. > I want to do this: > > 1] I already have a program which connects/accepts SSL connections, > and verifies the other peer's certificate against CA certificate. > 2] I want it to reject the certificates which are present in a > certificate revocation list (possibly multiple revocation lists), > which is supplied in some file. It would be best if the file was > loaded on program startup/initialization, so there was no need to do > any I/O at runtime. (because my program can possibly do a chroot().) > I'm asking for what's the best and usual way to do this - all > documentation I found about CRL-handling functions is in form of > man-like reference (which doesn't help much, as I'm a newbie here), or > in the form of source code (which is hard to read, because it does a > million other things I don't need). Could anyone point out any > tutorial which explains this, or, at least, shows correct functions to > do this?
Ok - you WILL have to do IO during run time, since a CRL has a validity period that is usually in the 8 - 24 hour period. So, unless you are going to restart your application every 8 hours, you should have some way of ensuring that you are using the most up to date CRL. Which either means reloading it based on the certificate's CRL Distribution point extension, or reloading it off of disk. > 3] I would like to check the incoming client certificate against > multiple certificate authorities. I know this is possible with > SSL_load_verify_locations using the indexed-directory loading, but, as > I understood, it loads and examines the CA's on-demand (which is > impossible when my program is chrooted.) Is there a possibility to > load multiple CA's into memory? No, it can load them at startup. > 4] I use SSL_VERIFY_FAIL_IF_NO_PEER_CERT, which, suprisingly to me, > doesn't verify certificate in Client mode. I suppose the Client mode > is set when the SSL is connected using SSL_connect(), so my clients > don't check for server certificate presence. Is there a method to > force the certificate check even in the Client mode? > > and maybe a summary: > 5] Generally I guess that all my problems fall into "write your own > verify_callback" category. If I'm right, I can do 4] myself, but sadly > have really no idea how to store the CA's and CRL's in memory. > Or, you could use a tool like pathfinder (http://www.carillon.ca/tools/pathfinder.php) to do it for you - I presume that you are doing this on Unix, so it should pretty much "just work" for you. We provide patches for a number of applications (apache, openldap, stunnel, etc.) that should act as a template for adding in this functionality to your program. > I hope someone here can point out any resources that would help me, or > just tell me what functions/method of certificate storing/verifying to > use. > Thanks in advance, > > Mirek Kratochvil > > > PS., if it helps, the program I'm talking about is here: > http://exa.czweb.org/?view=cloudvpn Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
