Libsslfd supports CRL processing as described below.
CRL files (SSLeay-0.6.x)
In the SSLeay world at least, a CRL file, contains information about
the Issuer and a list of revoked serial numbers. The check_crl
routine, looks for a file named for that hash of the issuer plus an
extention of .crl, such a file can be produced as shown below:
# cd /usr/local/ssl/certs
# ../bin/ca -gencrl > crl.pem
# ln -s crl.pem `../bin/ca -noout -hash < crl.pem`.crl
If a CRL is found, we check that the issuer's actually match otherwise
we look for hash plus extentions of .0.crl .1.crl etc.
This function is called by the certificate callback routines, and
returns a value that indicates the check results:
If the certificate has been revoked, and VERIFY_FAIL_IF_NO_PEER_CERT
is set, the SSL session will fail to establish. Regardless of the
ssl_verify_flag setting, ssld_auth() will never accept an expired or
revoked certificate as authentication. If the ssl_verify_flag does
not have the VERIFY_FAIL_IF_NO_PEER_CERT bit set, then the client will
receive a meaningful error message.
- No CRL file found for issuer.
Note, unless compiled with -DCRL_PEDANTIC the
callback routines will quietly ignore this.
- Found a CRL which revokes subject cert.
- Found an expired CRL which does not revoke
subject cert. Note that in this case we cannot be sure the
certificate has been revoked or not. This is always logged.
- Found a valid CRL which does not revoke subject cert.
CRL files (SSLeay-0.8.x)
In SSLeay-0.8 the structures that the previous description relied on
are no longer available outside of libcrypto. In order to implement
CRL checks in SSLeay-0.8.1, you must apply the patch found in
ssl/lib/sslfd/crl-081.patch which will install the above login into
libcrypto such that check_crl() can now simply call
to find and load a CRL file. The rest of the logic remains the same.
$Id: crl.html,v 1.4 2002/11/27 06:11:51 sjg Exp $