Date: Sat, 21 Mar 2020 01:53:56 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: Miroslav Lachman <000.fbsd@quip.cz>, Hiroki Sato <hrs@FreeBSD.org> Cc: "freebsd-current@FreeBSD.org" <freebsd-current@FreeBSD.org> Subject: Re: TLS certificates for NFS-over-TLS floating client Message-ID: <QB1PR01MB36491AD811EFF67A5A05A14ADDF20@QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM> In-Reply-To: <4865c166-33de-475f-1ddd-8ab8c5612683@quip.cz> References: <YTBPR01MB3374EFF14948CB8FEA1B5CCDDDE50@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM> <20200304.133515.520383339344620673.hrs@FreeBSD.org> <c07496fe-357d-43c6-86fb-17b04e60ea26@quip.cz> <YTBPR01MB3374BB2A3ED8435FFEDEA18EDDF40@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>, <4865c166-33de-475f-1ddd-8ab8c5612683@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
Miroslav Lachman wrote: >Rick Macklem wrote on 2020/03/19 03:09: >> Miroslav Lachman wrote: >>> >> [...] > >>> NFS (or any other server) should check list of revoked certificates too. >>> Otherwise you will not be able to deny access to user which you no >>> longer want to have an access. >> Yes, good point. >> I won't claim to understand this stuff, but from what I can see, all that is >> done is the CRL is appended to the CAfile (the one with the CA certificates >> are in being used for certificate verification via SSL__CTX_load_verify_locations(). >> >(https://raymii.org/s/articles/OpenSSL_manually_verify_a_certificate_against_a_CRL.html >> shows a CAfile and CRLfile being concatenated and then used to verify a certificate.) >> >> There is code in sendmail that loads a CRL file separately, but it seems to >> just put it in the X509 store returned by SSL_CTX_get_cert_store(), which >> is the one where the CAfile certificates are stored via SSL_CTX_load_verify_locations(), >> I think? >> (It just seems easier to append it to CAfile than do this. The sendmail code uses >> poorly documented functions where the man page says >> "SSL_CTX_load_verify_locations()" normally takes care of this.) >> >> Does this sound right? rick > >I think it would be better to have it in a separate file as Apache does >https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationfile > >Seems more convenient to have CA file write protected (read only) and >then separate file for list of revoked client certificates, maybe >somewhere else than CA certificate. Done. (Actually, the SSL_CTX_load_verify_locations() failed when the CRL was appended to the CAfile, so I needed to use a separate file to get it working.) I found X509_load_crl_file(), which does all the glop in sendmail's tls.c file to do it. (And it looks like the sendmail code only handles a CRL file with a single entry in it.) Thanks for the comments, rick Kind regards Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?QB1PR01MB36491AD811EFF67A5A05A14ADDF20>