CRL automatic download

CRL automatic download

am 28.04.2004 16:36:53 von Marc Stern

This is a multipart message in MIME format.
--=_alternative 0050696FC1256E84_=
Content-Type: text/plain; charset="us-ascii"

Hello,

I plan to add CRL automatic download to modssl. I mean, when a certificate
contains a CRL distribution point, use it to download the CRL just-in-time
if it's not present in the local store, or if it's outdated, ...
I have the code to do the automatic download, but the integration in
modssl doesn't look evident to me, as it's my first dive into your code.

Here is what I currently plan:
- In function "ssl_callback_SSLVerify( )", replace the call to
"ssl_callback_SSLVerify_CRL( )" by a call to a new function
"ssl_callback_SSLVerify_Validity( )", with exactly the same parameters
- In "ssl_callback_SSLVerify_Validity( )":
- possibly perform an OCSP check (see my e-mail from today)
- call "ssl_callback_SSLVerify_CRL( )"
- if the check failed because the certificate is revoked => return error
- download the CRL
(this could be quite long, I could get a time-out. Any idea about that
?)
- if the download failed => return error
- write the CRL to the registered directory
- create a link to the CRL with name {hash}.r0
(can't I directly copy the file under that name ?)
- add the CRL to the CRL store
(or re-create totally the store ? This wouldn't be efficient)
- call "ssl_callback_SSLVerify_CRL( )" again

Do you see any problem with that ?
Is somebody interesting in participating in this, or simply discussing
more in-depth details ?

Marc

--=_alternative 0050696FC1256E84_=
Content-Type: text/html; charset="us-ascii"



Hello,



I plan to add CRL automatic download to modssl. I mean, when a certificate contains a CRL distribution point, use it to download the CRL just-in-time if it's not present in the local store, or if it's outdated, ...

I have the code to do the automatic download, but the integration in modssl doesn't look evident to me, as it's my first dive into your code.



Here is what I currently plan:

- In function "ssl_callback_SSLVerify( )", replace the call to "ssl_callback_SSLVerify_CRL( )" by a call to a new function "ssl_callback_SSLVerify_Validity( )", with exactly the same parameters

- In "ssl_callback_SSLVerify_Validity( )":

  - possibly perform an OCSP check (see my e-mail from today)

  - call  "ssl_callback_SSLVerify_CRL( )"

  - if the check failed because the certificate is revoked => return error

  - download the CRL

    (this could be quite long, I could get a time-out. Any idea about that ?)

  - if the download failed => return error

  - write the CRL to the registered directory

  - create a link to the CRL with name {hash}.r0

    (can't I directly copy the file under that name ?)

 - add the CRL to the CRL store

    (or re-create totally the store ? This wouldn't be efficient)

 - call  "ssl_callback_SSLVerify_CRL( )" again



Do you see any problem with that ?

Is somebody interesting in participating in this, or simply discussing more in-depth details ?



Marc


--=_alternative 0050696FC1256E84_=--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org