I plan to add CRL automatic download to modssl. I mean, when a certificate contains a CRL distribution point, use it to download the CRL just-in-time if it's not present in the local store, or if it's outdated, ...
I have the code to do the automatic download, but the integration in modssl doesn't look evident to me, as it's my first dive into your code.

Here is what I currently plan:
- In function "ssl_callback_SSLVerify( )", replace the call to "ssl_callback_SSLVerify_CRL( )" by a call to a new function "ssl_callback_SSLVerify_Validity( )", with exactly the same parameters
- In "ssl_callback_SSLVerify_Validity( )":
  - possibly perform an OCSP check (see my e-mail from today)
  - call  "ssl_callback_SSLVerify_CRL( )"
  - if the check failed because the certificate is revoked => return error
  - download the CRL
    (this could be quite long, I could get a time-out. Any idea about that ?)
  - if the download failed => return error
  - write the CRL to the registered directory
  - create a link to the CRL with name {hash}.r0
    (can't I directly copy the file under that name ?)
 - add the CRL to the CRL store

    (or re-create totally the store ? This wouldn't be efficient)
 - call  "ssl_callback_SSLVerify_CRL( )" again

Do you see any problem with that ?
Is somebody interesting in participating in this, or simply discussing more in-depth details ?


Reply via email to