Joe Orton wrote:
On Tue, Feb 26, 2008 at 04:51:40PM +0000, Dr Stephen Henson wrote:
Well the current CRL strategy has a few problems. It ignores critical
extensions but that's a separate issue...
I was looking at this recently; is it still true that mod_ssl has to do
so much of the CRL revocation checks for client certs itself (i.e. all
of ssl_callback_SSLVerify_CRL) - it looks like X509_verify_cert() can do
revocation checks itself if suitably configured, though maybe this is a
recent addition?
Some enhanced CRL support in X509_verify_cert() has been in OpenSSL for
some time (over a year).
You just need to set the relevant flags and OpenSSL will handle things.
OpenSSL 0.9.7 checks for critical CRL extensions and rejects a CRL if it
finds any.
0.9.8 can also use key identifiers to look up CRLs.
0.9.9 also includes support for extensions like IDP for CRL
partitioning. It also allows multiple CRLs with the same scope to appear
in a store and uses the first valid one (likely to change that to most
recent). There is also a form of dynamic CRL loading. The functionality
will be extended in future.
There is a difference in the directory handling. OpenSSL doesn't make
any distinction between certificate and CRL directories: a CRL can
appear in a certificate directory and vice-versa.
Steve.
--
Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute: www.oss-institute.org
OpenSSL Core team: www.openssl.org
