No, ATS does not support revocation checks on the client certificate. By default it checks that the certificate is signed by a trusted root and is not expired. Adding revocation logic is an interesting idea.
There is a hook (TS_EVENT_SSL_VERIFY_CLIENT) where you can you can have your plugin attach additional logic to verify the client-provided certificate. https://docs.trafficserver.apache.org/en/latest/developer-guide/api/types/TSEvent.en.html?highlight=ts_event_ssl_verify_client#c.TS_EVENT_SSL_VERIFY_CLIENT Looks like this is another place that could use some more documentation. However, there is a test plugin that exercises the hook https://github.com/apache/trafficserver/blob/master/tests/tools/plugins/ssl_client_verify_test.cc On Tue, Dec 3, 2019 at 5:35 AM supraja sridhar <[email protected]> wrote: > Hello, > > Does ATS perform revocation check on client certificate? Does it support > CRL and OSCP? > > Thanks, > Supraja >
