On Saturday 26 February 2005 15:28, Damien Dougan wrote:[...]

Not for the moment - though code to check CRL's in some way would be
welcome.[...]

Robert,

Here's what I did to add CRL support - please see the attached patch for
pound.c (v1.8).

I've checked this on valid and revoked certificates and it works fine.
But I should stress I'm not a security or OpenSSL expert, and can't say
there are not holes in this approach (but I believe the theory is good
:) ). 

I've also posted the details to the OpenSSL mailing list, and no one has
come shouting about security flaws (but that could be because they can't
see the context in which the patch was applied).

But if you are going to use this in a production environment, you'd want
someone with a bigger brain to verify I've not introduced any
vulnerabilities...

Damien

-----Original Message-----
From: Robert Segall [mailto:roseg(at)apsis.ch] 
Sent: 01 March 2005 18:37
To: pound(at)apsis.ch
Subject: Re: Does Pound support CRL checking?


On Saturday 26 February 2005 15:28, Damien Dougan wrote:[...]
client[...]
allows[...]

Not for the moment - though code to check CRL's in some way would be
welcome.[...]

On Wednesday 02 March 2005 10:41, Damien Dougan wrote:[...]

Thanks for the patch - please see the 1.8.2 release which incorporates the 
idea. For everybody using this, please note that you are responsible for 
updating the CRL from known-good sources (the OpenSSL documentation - such as 
it is - suggests once a week), and that this may cause problems if you run a 
chrooted Pound.

A compromise of the CRL directory may lead to a DoS attack...[...]

Hi, Robert,

I add crl_file, and crl_dir to the CRL support - please give a look
whether I'm right there.

在 2005-03-06日的 18:20 +0100，Robert Segall写道：[...]

Since I'm a real newbie to ssl, I just can't figure out why only a
X509_STORE* store = SSL_CTX_get_cert_store (ctx[i]); and
X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK); works 
[...]

In the attachment, Pound-1.8.1-crl.p1 1. add crl_dir and crl_file to
Pound, 2. make verify_cert( ) call verify_callback( ) in crl.c, and
crl.c is shameless stolen from stunnel.

In the Pound-?*.p1, I add a global "X509_STORE          *revoke_store;",
cause I can't find and don't know where to store store[i] in main( ) and
fetch it in crl_callback( ) in crl.c . Please give me a hand on it,
thanks !

And in openssl-users(at)openssl.org, there is following message:

Subject: CRL verify

Hi.

I'm trying to add support for dynamic crl handling to my
application.

The approach I was thinking to use is this:

ssl_verify_callback(...)
{
        if preverify_ok is 0
                return 0;

        extract CRL distrib point from certificate;
        connect to it and download CRL file;
        add a file lookup for X509_STORE;
        load downloaded CRL file into lookup;

        if depth is 0 (peer certificate)
                verify CN against database
                ...

}


So for each CA, starting from the root, I load its CRL
that is available later when verifying the next certificate.

Can this work ?
[...]

I feel that using the OpenSSL "auto-magic" stuff is easier for everybody. So 
rather than doing the quasi-manual check I'd rather rely on the built-in 
mechanism.

Thanks anyway for the code.[...]