Re: [exim-dev] TLS OpenSSL CRL Handling

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Philip Hazel
Datum:  
To: Lars Mainka
CC: Exim Developer Mailinglist
Betreff: Re: [exim-dev] TLS OpenSSL CRL Handling
On Tue, 8 Mar 2005, Lars Mainka wrote:

> For openssl versions greater than 0.9.7 the crl handling will be done by a
> single add command for a crl file (X509_STORE_add_crl(ctx,crl). Instead of
> using that method it would make more sense (in my mind) to use the
> X509_STORE_load_locations(ctx,file,dir) method, cause then everyone would be
> able to serve a file or a hash dir to the ssl context.


I don't think any of the main Exim maintainers are at all expert in
OpenSSL. I certainly am not. The CRL support was originally supplied as
a patch, which I integrated and was happy with once I found that a simple
test worked.

> The X509_STORE_load_locations() method supplies the context with the needed
> lookups by itself, so it is possible then, to use multiple crls within one
> file or a directory for hashed crl entries.
>
> I think, this would make the crl handling (especially of multiple crls) much
> easier and this is not a big change on the sources.


Would such a change be upwards compatible? Can you supply a suggested
patch? That has much more of a chance of being included and tested.
Otherwise somebody has to spend time learning about OpenSSL and figuring
out what to do. My own time for working on the code is extremely limited
at present.

-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book:    http://www.uit.co.uk/exim-book