Both openvpn and stunnel provide the ability to use directories of certificates which are accepted or rejected using the openssl libraries. Both provide the ability to have a CRL directory which can be changed dynamically as well as a single merged PEM file which is only read at startup. You might want to take a look at those programs to see how they provide the functionality. Openvpn uses an openssl.cnf for this processing.
Carter Carter Browne CBCS cbro...@cbcs-usa.com 781-721-2890 Miroslav Kratochvil wrote: > Hello, > > I've been trying to find any usuable and complete documentation about > CRL checking and several other things, but I failed, so I'm asking > here. > I want to do this: > > 1] I already have a program which connects/accepts SSL connections, > and verifies the other peer's certificate against CA certificate. > 2] I want it to reject the certificates which are present in a > certificate revocation list (possibly multiple revocation lists), > which is supplied in some file. It would be best if the file was > loaded on program startup/initialization, so there was no need to do > any I/O at runtime. (because my program can possibly do a chroot().) > I'm asking for what's the best and usual way to do this - all > documentation I found about CRL-handling functions is in form of > man-like reference (which doesn't help much, as I'm a newbie here), or > in the form of source code (which is hard to read, because it does a > million other things I don't need). Could anyone point out any > tutorial which explains this, or, at least, shows correct functions to > do this? > 3] I would like to check the incoming client certificate against > multiple certificate authorities. I know this is possible with > SSL_load_verify_locations using the indexed-directory loading, but, as > I understood, it loads and examines the CA's on-demand (which is > impossible when my program is chrooted.) Is there a possibility to > load multiple CA's into memory? > 4] I use SSL_VERIFY_FAIL_IF_NO_PEER_CERT, which, suprisingly to me, > doesn't verify certificate in Client mode. I suppose the Client mode > is set when the SSL is connected using SSL_connect(), so my clients > don't check for server certificate presence. Is there a method to > force the certificate check even in the Client mode? > > and maybe a summary: > 5] Generally I guess that all my problems fall into "write your own > verify_callback" category. If I'm right, I can do 4] myself, but sadly > have really no idea how to store the CA's and CRL's in memory. > > I hope someone here can point out any resources that would help me, or > just tell me what functions/method of certificate storing/verifying to > use. > Thanks in advance, > > Mirek Kratochvil > > > PS., if it helps, the program I'm talking about is here: > http://exa.czweb.org/?view=cloudvpn > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
