That would be the the ideal solution. The problem is that the customer's security-policy demands dedicated hardware performing IDS/IPS functionality at the point of TLS-termination. The devices at hand do not provide the functionality to call a user-defined external service for certificate validation apart from OCSP.
The future workaround will be a mockup OCSP-responder but that solution will need some time for implementation. our current focus lies on a rather quick than perfect solution that buys some time to ship something more solid. ________________________________________ Von: openssl-users <openssl-users-boun...@openssl.org> im Auftrag von Michael Wojcik <michael.woj...@microfocus.com> Gesendet: Freitag, 4. Dezember 2020 15:07:02 An: openssl-users@openssl.org Betreff: RE: Client-Certificate blocking without conrolling the issuing CA > From: openssl-users <openssl-users-boun...@openssl.org> On Behalf Of Vincent > Truchsess - rockenstein AG > Sent: Friday, 4 December, 2020 04:27 > > The organization legally responsible for the application maintains a > blocklist of certificate serials they consider to be invalidated. Also, this > organization does not bother to get those certificates revoked by their CA so > using OCSP or CRLs against the CAs services has no effect on denying access > to invalid users. > > The hardware performing the certificate-validation allows for locally stored > CRLs. Our intention was to generate those ourselves using a selfsigned CA. As > far as I went, it seems that openssl only allows for revocations of > certificates signed by the local CA. I assume you mean "certificates signed by the issuing CA". The CRL has to be generated by the CA that issued the certificates. It seems to me that the simplest solution would be to have the application add a certificate validation callback that checks the serial number against this not-really-a-CRL list of forbidden client certificates. That's the sort of thing certificate validation callbacks are for: implementing additional restrictions (or removing existing ones) on which certificates will be accepted. -- Michael Wojcik
