Project

General

Profile

Feature #2319

Support CRLs for client certificate verification

Added by binbrain almost 6 years ago. Updated 4 months ago.

Status:
Patch Pending
Priority:
Normal
Assignee:
-
Category:
TLS
Target version:
Start date:
2011-06-01
Due date:
% Done:

0%

Missing in 1.5.x:
No

Description

I've attached a patch to support local CRLs. This feature has been discussed in tickets #1288 and #2278. The change was developed for 1.4.26 and ported to trunk 1.5 without much effort. The patch can be applied to the SVN 1.5 trunk and works as follows.

  • regular client verification configuration discussed in ticket #1288 apply
  • new config param ssl.ca-crl-file added
  • if ssl.ca-crl-file is set, make sure the client cert isn't revoked

If all goes well, a client using a revoked cert will receive a "SSL peer rejected your certificate as revoked" message. Otherwise, pass through.

ca-crl.patch View - patch for 1.5 (3.62 KB) binbrain, 2011-06-01 19:55

ca-crl-1.4.39.patch View - ssl.ca-crl-file patch for 1.4.39 (3.51 KB) flynn, 2016-03-16 14:45

ca-crl-1.4.42.patch View - ssl.ca-crl-file patch for 1.4.42 (3.59 KB) flynn, 2016-10-31 08:59

History

#1 Updated by darix almost 6 years ago

  • File deleted (ca-crl.patch)

#2 Updated by binbrain almost 6 years ago

#3 Updated by stbuehler almost 6 years ago

  • Target version set to 1.5.0

#4 Updated by flynn about 1 year ago

I adapted the patch for the current version 1.4.39 and it works for me, if the revocation reason code is set to "Privilege Withdrawn".

I would like to see in the next version 1.4.40, especially because there is no effect on existing installations,
as long as the new configuration variable ssl.ca-crl-file is not used.

For the wiki the I suggest the following entry:

ssl.ca-crl-file path to the CRL file in PEM format (revocation list)

#5 Updated by gstrauss about 1 year ago

  • Target version changed from 1.5.0 to 1.4.x

#6 Updated by gstrauss 12 months ago

  • Category changed from core to TLS

#7 Updated by dirk4000 7 months ago

I would like to see this feature in next version 1.4.42.

#8 Updated by flynn 6 months ago

I updated the patch for the current version 1.4.42 for easier inclusion.

#9 Updated by gstrauss 6 months ago

Thanks, flynn. This won't make today's release, but will likely make the one following.

#10 Updated by gstrauss 4 months ago

Sorry. This won't make 1.4.44. Maybe the following release.

As noted in #2694

Patches are much more likely to be included if there is someone with whom I can discuss the patches, and who can reliably test lighttpd once those patches have been applied (and before the patches are included in a lighttpd release).

See also #2156 where the request for feedback has unfortunately been met with silence.

Also available in: Atom