Date: Sat, 21 Mar 2020 01:53:56 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: Miroslav Lachman <000.fbsd@quip.cz>, Hiroki Sato <hrs@FreeBSD.org> Cc: "freebsd-current@FreeBSD.org" <freebsd-current@FreeBSD.org> Subject: Re: TLS certificates for NFS-over-TLS floating client Message-ID: <QB1PR01MB36491AD811EFF67A5A05A14ADDF20@QB1PR01MB3649.CANPRD01.PROD.OUTLOOK.COM> In-Reply-To: <4865c166-33de-475f-1ddd-8ab8c5612683@quip.cz> References: <YTBPR01MB3374EFF14948CB8FEA1B5CCDDDE50@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM> <20200304.133515.520383339344620673.hrs@FreeBSD.org> <c07496fe-357d-43c6-86fb-17b04e60ea26@quip.cz> <YTBPR01MB3374BB2A3ED8435FFEDEA18EDDF40@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>, <4865c166-33de-475f-1ddd-8ab8c5612683@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
Miroslav Lachman wrote:=0A= >Rick Macklem wrote on 2020/03/19 03:09:=0A= >> Miroslav Lachman wrote:=0A= >>>=0A= >> [...]=0A= >=0A= >>> NFS (or any other server) should check list of revoked certificates too= .=0A= >>> Otherwise you will not be able to deny access to user which you no=0A= >>> longer want to have an access.=0A= >> Yes, good point.=0A= >> I won't claim to understand this stuff, but from what I can see, all tha= t is=0A= >> done is the CRL is appended to the CAfile (the one with the CA certifica= tes=0A= >> are in being used for certificate verification via SSL__CTX_load_verify_= locations().=0A= >> >(https://raymii.org/s/articles/OpenSSL_manually_verify_a_certificate_ag= ainst_a_CRL.html=0A= >> shows a CAfile and CRLfile being concatenated and then used to verify a = certificate.)=0A= >>=0A= >> There is code in sendmail that loads a CRL file separately, but it seems= to=0A= >> just put it in the X509 store returned by SSL_CTX_get_cert_store(), whic= h=0A= >> is the one where the CAfile certificates are stored via SSL_CTX_load_ver= ify_locations(),=0A= >> I think?=0A= >> (It just seems easier to append it to CAfile than do this. The sendmail = code uses=0A= >> poorly documented functions where the man page says=0A= >> "SSL_CTX_load_verify_locations()" normally takes care of this.)=0A= >>=0A= >> Does this sound right? rick=0A= >=0A= >I think it would be better to have it in a separate file as Apache does=0A= >https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationfile= =0A= >=0A= >Seems more convenient to have CA file write protected (read only) and=0A= >then separate file for list of revoked client certificates, maybe=0A= >somewhere else than CA certificate.=0A= Done. (Actually, the SSL_CTX_load_verify_locations() failed when the CRL wa= s=0A= appended to the CAfile, so I needed to use a separate file to get it workin= g.)=0A= =0A= I found X509_load_crl_file(), which does all the glop in sendmail's tls.c f= ile=0A= to do it. (And it looks like the sendmail code only handles a CRL file=0A= with a single entry in it.)=0A= =0A= Thanks for the comments, rick=0A= =0A= Kind regards=0A= Miroslav Lachman=0A=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?QB1PR01MB36491AD811EFF67A5A05A14ADDF20>