Re: TLS certificates for NFS-over-TLS floating client

From: Miroslav Lachman <000.fbsd_at_quip.cz>
Date: Thu, 19 Mar 2020 11:45:42 +0100
Rick Macklem wrote on 2020/03/19 03:09:
> Miroslav Lachman wrote:
>>
> [...]

>> NFS (or any other server) should check list of revoked certificates too.
>> Otherwise you will not be able to deny access to user which you no
>> longer want to have an access.
> Yes, good point.
> I won't claim to understand this stuff, but from what I can see, all that is
> done is the CRL is appended to the CAfile (the one with the CA certificates
> are in being used for certificate verification via SSL__CTX_load_verify_locations().
> (https://raymii.org/s/articles/OpenSSL_manually_verify_a_certificate_against_a_CRL.html
> shows a CAfile and CRLfile being concatenated and then used to verify a certificate.)
> 
> There is code in sendmail that loads a CRL file separately, but it seems to
> just put it in the X509 store returned by SSL_CTX_get_cert_store(), which
> is the one where the CAfile certificates are stored via SSL_CTX_load_verify_locations(),
> I think?
> (It just seems easier to append it to CAfile than do this. The sendmail code uses
>   poorly documented functions where the man page says
>   "SSL_CTX_load_verify_locations()" normally takes care of this.)
> 
> Does this sound right? rick

I think it would be better to have it in a separate file as Apache does
https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationfile

Seems more convenient to have CA file write protected (read only) and 
then separate file for list of revoked client certificates, maybe 
somewhere else than CA certificate.

Kind regards
Miroslav Lachman
Received on Thu Mar 19 2020 - 09:45:48 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:23 UTC