httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nicob <ni...@nicob.net>
Subject Re: CRL verification in mod_ssl
Date Sat, 30 Aug 2008 12:50:46 GMT

> But this is a bit too obscure for me to dare to commit it directly.  
> Could someone else with a good x509 understanding look at it ?

I'm not a x509 expert but I studied the patch and it seems to implement
precisely what is described in RFC 3280 "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List (CRL)
Profile". It implements the matching on the Authority DN (vs. Authority
Key ID actually) during client certificate verification against a CRL
*and* a required test during CRL validation, as described in paragraph
6.3.3 of RFC 3280 :

(f)  Obtain and validate the certification path for the complete CRL
   issuer.  If a key usage extension is present in the CRL issuer's
   certificate, verify that the cRLSign bit is set.

And in the patch :

+         /* Ignore this certificate if it doesn't have the right to
+          * sign CRLs */
+         if ((testedcert->ex_flags & EXFLAG_KUSAGE) && !(testedcert->ex_kusage
& KU_CRL_SIGN))
+           continue;

Regards,
Nicob



Mime
View raw message