Hello,
Has anyone worked on CRL checking in mod_ssl.
I don't have any standard CRL available (using XCert Sentry), but I
can generate a list of revoked serial numbers quite easily.
>From looking at the source my guess is that I should modify
ssl_callback_SSLVerify, using X509_get_serialNumber (and
ASN1_INTEGER_get) to extract the serial no?
Is this a workable solution, and perhaps has anybody already tried
this and have som code / advice to share? Would it be too much of
a performance killer to try to use LDAP to look up cert status, or
should I load the list locally and access it through something like
shmem or perhaps dbm when it gets too big.
Alternatively I would be working on doing this through OCSP, but I'd
rather wait with that for a while.
BTW: What versions of ssleay/openssl are supported by mod_ssl? I haven't
been able to find that in the docs.
TIA. for any hints, pointers or etc.
vh.
Mads Toftum, QDPH
---
This is Linux Country. On a quiet night, you can hear Windows NT reboot!
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
