Re: TLS certificates for NFS-over-TLS floating client

Miroslav Lachman wrote:
>Rick Macklem wrote on 2020/03/19 03:09:
>> Miroslav Lachman wrote:
>>>
>> [...]
>
>>> NFS (or any other server) should check list of revoked certificates too.
>>> Otherwise you will not be able to deny access to user which you no
>>> longer want to have an access.
>> Yes, good point.
>> I won't claim to understand this stuff, but from what I can see, all that is
>> done is the CRL is appended to the CAfile (the one with the CA certificates
>> are in being used for certificate verification via SSL__CTX_load_verify_locations().
>> >(https://raymii.org/s/articles/OpenSSL_manually_verify_a_certificate_against_a_CRL.html
>> shows a CAfile and CRLfile being concatenated and then used to verify a certificate.)
>>
>> There is code in sendmail that loads a CRL file separately, but it seems to
>> just put it in the X509 store returned by SSL_CTX_get_cert_store(), which
>> is the one where the CAfile certificates are stored via SSL_CTX_load_verify_locations(),
>> I think?
>> (It just seems easier to append it to CAfile than do this. The sendmail code uses
>>   poorly documented functions where the man page says
>>   "SSL_CTX_load_verify_locations()" normally takes care of this.)
>>
>> Does this sound right? rick
>
>I think it would be better to have it in a separate file as Apache does
>https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationfile
>
>Seems more convenient to have CA file write protected (read only) and
>then separate file for list of revoked client certificates, maybe
>somewhere else than CA certificate.
Done. (Actually, the SSL_CTX_load_verify_locations() failed when the CRL was
appended to the CAfile, so I needed to use a separate file to get it working.)

I found X509_load_crl_file(), which does all the glop in sendmail's tls.c file
to do it. (And it looks like the sendmail code only handles a CRL file
with a single entry in it.)

Thanks for the comments, rick

Kind regards
Miroslav Lachman