Re: Implementing CRL check

Sun, 28 Feb 1999 15:51:12 -0500 

On Sun, Feb 28, 1999, [EMAIL PROTECTED] wrote:

> Has anyone worked on CRL checking in mod_ssl.
> I don't have any standard CRL available (using XCert Sentry), but I
> can generate a list of revoked serial numbers quite easily.
> >From looking at the source my guess is that I should modify
> ssl_callback_SSLVerify, using X509_get_serialNumber (and
> ASN1_INTEGER_get) to extract the serial no?
> Is this a workable solution, and perhaps has anybody already tried
> this and have som code / advice to share? Would it be too much of
> a performance killer to try to use LDAP to look up cert status, or
> should I load the list locally and access it through something like
> shmem or perhaps dbm when it gets too big.
> Alternatively I would be working on doing this through OCSP, but I'd
> rather wait with that for a while.

I've a few patches (from me and someone other) in my development queue which
provide a way to read CRLs via SSLeay and the latest OpenSSL snapshot also
provides more support for CRLs. Actually in the past I've waited until SSLeay
has more support. Now with the forthcoming OpenSSL 0.9.2 we can give it a try
again. The idea is to directly read X.509 CRLs and reject certificates based
on the ingredients.  The ssl_callback_SSLVerify function is the code location
for this, yes.

> BTW: What versions of ssleay/openssl are supported by mod_ssl? I haven't
> been able to find that in the docs.

Currently SSLeay 0.9.0, OpenSSL 0.9.1c and the latest OpenSSL snapshot. With
the forthcoming OpenSSL 0.9.2 it seems like I've to force people to use it and
drop support for SSLeay 0.9.0 and OpenSSL 0.9.1c because I've now finished
DSA/DH support for mod_ssl and it only can work with the latest OpenSSL. And
because of `make certificate' and other things I'm not able to provide support
for both old SSLeay and OpenSSL, so it seems that I'll drop SSLeay support in
the next weeks. At least when one wants to use all functionality of
mod_ssl...
                                       Ralf S. Engelschall
                                       [EMAIL PROTECTED]
                                       www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List               [EMAIL PROTECTED]
Automated List Manager                       [EMAIL PROTECTED]

Reply via email to