Support CRLs for client certificate verification
I've attached a patch to support local CRLs. This feature has been discussed in tickets #1288 and #2278. The change was developed for 1.4.26 and ported to trunk 1.5 without much effort. The patch can be applied to the SVN 1.5 trunk and works as follows.
- regular client verification configuration discussed in ticket #1288 apply
- new config param ssl.ca-crl-file added
- if ssl.ca-crl-file is set, make sure the client cert isn't revoked
If all goes well, a client using a revoked cert will receive a "SSL peer rejected your certificate as revoked" message. Otherwise, pass through.
#4 Updated by flynn about 1 year ago
I adapted the patch for the current version 1.4.39 and it works for me, if the revocation reason code is set to "Privilege Withdrawn".
I would like to see in the next version 1.4.40, especially because there is no effect on existing installations,
as long as the new configuration variable ssl.ca-crl-file is not used.
For the wiki the I suggest the following entry:
ssl.ca-crl-file path to the CRL file in PEM format (revocation list)
Sorry. This won't make 1.4.44. Maybe the following release.
As noted in #2694
Patches are much more likely to be included if there is someone with whom I can discuss the patches, and who can reliably test lighttpd once those patches have been applied (and before the patches are included in a lighttpd release).
See also #2156 where the request for feedback has unfortunately been met with silence.
Also available in: Atom