[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bacula-devel
Subject:    Re: [Bacula-devel] Certificate Revocation Lists
From:       Landon Fuller <landonf () bikemonkey ! org>
Date:       2008-07-26 22:11:42
Message-ID: CF157459-CFDC-4DC6-BE48-BFED7CFD113B () bikemonkey ! org
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


On Jul 26, 2008, at 2:55 AM, Hanno Stock wrote:

> Hello Bacula Developers / Users,
>
> is there a way to use Certfificate Revocation Lists in Bacula with TLS
> support? Or is there any such feature planned?
>
> I think this is important in a bigger deployment.

The feature is not currently supported, but if you are interested in  
adding it, take a look at new_tls_context() in src/lib/tls.c.

I believe it should be sufficient to fetch the backing X.509 store  
using SSL_CTX_get_cert_store(), and load the CRL list(s) with  
X509_load_crl_file(), and enable CRL checking with  
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL.

This is only supported in OpenSSL 0.9.7 or later.

-landonf

["PGP.sig" (application/pgp-signature)]

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

_______________________________________________
Bacula-devel mailing list
Bacula-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-devel


[prev in list] [next in list] [prev in thread] [next in thread]