trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Susan Hinrichs <shinr...@verizonmedia.com>
Subject Re: Revocation checks on client certificate
Date Tue, 03 Dec 2019 16:31:28 GMT
No, ATS does not support revocation checks on the client certificate.  By
default it checks that the certificate is signed by a trusted root and is
not expired.  Adding revocation logic is an interesting idea.

There is a hook (TS_EVENT_SSL_VERIFY_CLIENT) where you can you can have
your plugin attach additional logic to verify the client-provided
certificate.
https://docs.trafficserver.apache.org/en/latest/developer-guide/api/types/TSEvent.en.html?highlight=ts_event_ssl_verify_client#c.TS_EVENT_SSL_VERIFY_CLIENT

Looks like this is another place that could use some more documentation.
However, there is a test plugin that exercises the hook
https://github.com/apache/trafficserver/blob/master/tests/tools/plugins/ssl_client_verify_test.cc

On Tue, Dec 3, 2019 at 5:35 AM supraja sridhar <suprajasridhar95@gmail.com>
wrote:

> Hello,
>
> Does ATS perform revocation check on client certificate? Does it support
> CRL and OSCP?
>
> Thanks,
> Supraja
>

Mime
View raw message