Hi,
I got client certificate checks working using something like:
bind 8.8.8.8:443 mss 1422 ssl crt server.pem ca-file root.crt crl-file root.crl
verify required
The gotcha is that this does not work when the revocation list isn't renewed:
$ openssl crl -in root-crl.pem -noout -text|head
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer:
/C=NL/L=Somewhere/O=Company/CN=ROOTCA/[email protected]
Last Update: Apr 8 08:48:11 2013 GMT
Next Update: May 8 08:48:11 2013 GMT
Revoked Certificates:
Serial Number: 01
Revocation Date: May 7 15:51:36 2012 GMT
Serial Number: 04
...
In that case, I get error 23 (certificate revoked). I would expect error 12
(CRL has expired) as the certificate wasn't revoked, but the revocation list
wasn't renewed.
As these are self signed certificates, I can issue a revocation list with a
very high 'next update' date, but that seems to be a hack to me. Why doesn't
HAProxy allow non-renewed revocation lists (such as OpenVPN does). Or return
error 12 which I can add as a acceptable error (ca-ignore-err). In the latter
case HAProxy should still validate the certificate and check it against the CRL
of course.
Mark
