There will be some libtls api additions post 6.1 to get the peer cert in PEM format
In the meantime, testing snaps prior to 6.1 should be the priority. not a talkathon. On Sat, Apr 1, 2017 at 10:49 Joerg Sonnenberger <[email protected]> wrote: > On Sat, Apr 01, 2017 at 07:53:05PM +1030, Jack Burton wrote: > > One common example of that happening is when a cert gets revoked because > > its private key has been lost/stolen and the user needs a new cert > > associated with the same identity. An even more common example is when > > a cert expires & gets renewed. > > If you are using certificate revocation, I think you should do the check > as early as possible. That means in httpd in this case. Nothing later in > the stack should have to care about expired or revoked certificates -- > it just adds complexity and the danger of someone forgetting about it. > > Which mechanisms to support (i.e. CRLs or OCSP) is a completely > different topic. > > Joerg > >
