Hello,
I plan to add CRL automatic download to modssl. I mean, when a certificate contains a CRL distribution point, use it to download the CRL just-in-time if it's not present in the local store, or if it's outdated, ...
I have the code to do the automatic download, but the integration in modssl doesn't look evident to me, as it's my first dive into your code.
Here is what I currently plan:
- In function "ssl_callback_SSLVerify( )", replace the call to "ssl_callback_SSLVerify_CRL( )" by a call to a new function "ssl_callback_SSLVerify_Validity( )", with exactly the same parameters
- In "ssl_callback_SSLVerify_Validity( )":
- possibly perform an OCSP check (see my e-mail from today)
- call "ssl_callback_SSLVerify_CRL( )"
- if the check failed because the certificate is revoked => return error
- download the CRL
(this could be quite long, I could get a time-out. Any idea about that ?)
- if the download failed => return error
- write the CRL to the registered directory
- create a link to the CRL with name {hash}.r0
(can't I directly copy the file under that name ?)
- add the CRL to the CRL store
(or re-create totally the store ? This wouldn't be efficient)
- call "ssl_callback_SSLVerify_CRL( )" again
Do you see any problem with that ?
Is somebody interesting in participating in this, or simply discussing more in-depth details ?
Marc