I think someone has touched on some of this on the list recently, but I was curious if there was a way to programmatically (through an API call or other) way to patch into OpenSSL's configuration capability - I understand the library by default looks at text files on a file system for things like root certificates, but if I'm running on an embedded system with no hard drive and I don't have a persistent storage medium accessible through traditional file I/O calls, how would I feed OpenSSL everything it needs to operate correctly?
Also, because I'm on an embedded system, I can't download CRLs to a file on a file system because of limited storage. I either have to download delta-CRLs (which is no guarantee of a small download), or have a way to "stream" CRL data through a verifier process. In this way, certificates are checked against a CRL while the data is being downloaded into the embedded device. After CRL records have been processed, they're thrown away. If we have a "match" in a CRL, we can cache that cert as being "revoked" - like a "lookaside list" that we check prior to downloading a CRL. Of course the "revoked cert" cache would not be persistent because we may not have non-volatile memory to store the cache.
If we're using OCSP, a file system is not really an issue, and we can cache OCSP responses as well, as supported by the protocol.
Any information on API configuration of all openssl parameters (no text files) and certificate validation on a constrained embedded device is much appreciated.
Thanks! Randy ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
