>here's some entries in wishlist to check lastUpdate, nextUpdate, extensions
>too when local policy will specify requirements.
I've been doing CRL checks in SSLrshd and my other SSL apps since
about SSLeay-0.66 vintage. I use a multi-value return code as described
below. I use the nextUpdate field to check if the CRL is current.
/*
* NAME:
* crl - check for revoked x509 certs
*
* DESCRIPTION:
* SSL Verify callbacks can call crl_check(ctx,xs), which will
* indicate which of the following cases is true.
*
* 1 we cannot find a CRL for issuer, return 0
* 2 we have a CRL which revokes xs, return -2
* 3 we have an expired CRL for issuer which does not revoke xs,
* return -1
* 4 we have a valid CRL for issuer which does not revoke xs,
* return 1
*
* SEE ALSO:
* sslfd(3)
*
* AUTHOR:
* Simon J. Gerraty <[EMAIL PROTECTED]>
*/
I've not yet looked at 0.9 but be aware that CRL checking will exercise
bugs in SSLeay-0.8.1 (and earlier) mostly due to incomplete initialization
of the structs involved. I've sent patches to Eric so I expect 0.9 should
be ok.
I've previously sent crl.c to both Eric and Ben (though I'm pretty sure
there was a bug in that/those versions :-)
See http://www.quick.com.au/ftp/pub/sjg/help/crl.html and friends for
more. Note that the license restriction for libsslfd does NOT apply
to crl.c - I'm happy for everyone to use it.
You can get the latest version of crl.c from
http://www.quick.com.au/ftp/pub/sjg/crl.c
and you need this for 0.8.1
http://www.quick.com.au/ftp/pub/sjg/crl-081.patch
--sjg
+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/ |
+-------------------------------------------------------------------------+
