* [PATCH 1/3] Add server-side CRL checking
2025-06-11 7:09 [PATCH 0/3] Add CRL checking to server and client Rik Theys
@ 2025-06-11 7:09 ` Rik Theys
2025-06-11 7:09 ` [PATCH 2/3] Add client-side " Rik Theys
` (2 subsequent siblings)
3 siblings, 0 replies; 9+ messages in thread
From: Rik Theys @ 2025-06-11 7:09 UTC (permalink / raw)
To: kernel-tls-handshake; +Cc: Rik Theys
If an x509.crl option is specified in the authenticate.server
section of the configuration file, use it as a certificate
revocation list.
Signed-off-by: Rik Theys <Rik.Theys@gmail.com>
---
src/tlshd/config.c | 33 +++++++++++++++++++++++++++++++++
src/tlshd/server.c | 14 ++++++++++++++
src/tlshd/tlshd.h | 1 +
3 files changed, 48 insertions(+)
diff --git a/src/tlshd/config.c b/src/tlshd/config.c
index be5d472..1963116 100644
--- a/src/tlshd/config.c
+++ b/src/tlshd/config.c
@@ -350,6 +350,39 @@ bool tlshd_config_get_server_truststore(char **bundle)
return true;
}
+/**
+ * tlshd_config_get_server_crl - Get CRL for ServerHello from .conf
+ * @bundle: OUT: pathname to CRL
+ *
+ * Return values:
+ * %false: pathname not retrieved
+ * %true: pathname retrieved successfully; caller must free @bundle using free(3)
+ */
+bool tlshd_config_get_server_crl(char **bundle)
+{
+ GError *error = NULL;
+ gchar *pathname;
+
+ pathname = g_key_file_get_string(tlshd_configuration, "authenticate.server",
+ "x509.crl", &error);
+ if (!pathname) {
+ g_error_free(error);
+ return false;
+ } else if (access(pathname, F_OK)) {
+ tlshd_log_debug("server x509.crl pathname \"%s\" is not accessible", pathname);
+ g_free(pathname);
+ return false;
+ }
+
+ *bundle = strdup(pathname);
+ g_free(pathname);
+ if (!*bundle)
+ return false;
+
+ tlshd_log_debug("Server x.509 crl is %s", *bundle);
+ return true;
+}
+
/**
* tlshd_config_get_server_certs - Get certs for ServerHello from .conf
* @certs: OUT: in-memory certificates
diff --git a/src/tlshd/server.c b/src/tlshd/server.c
index 72ff6f5..bf4b740 100644
--- a/src/tlshd/server.c
+++ b/src/tlshd/server.c
@@ -219,6 +219,7 @@ static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parm
gnutls_certificate_credentials_t xcred;
gnutls_session_t session;
char *cafile;
+ char *crlfile;
int ret;
ret = gnutls_certificate_allocate_credentials(&xcred);
@@ -239,6 +240,19 @@ static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parm
}
tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
+ if (tlshd_config_get_server_crl(&crlfile)) {
+ ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
+ GNUTLS_X509_FMT_PEM);
+ free(crlfile);
+ if (ret < 0 ) {
+ tlshd_log_gnutls_error(ret);
+ goto out_free_creds;
+ }
+ tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
+ } else {
+ tlshd_log_debug("System CRL: No CRL file configured.");
+ }
+
if (!tlshd_x509_server_get_certs(parms)) {
goto out_free_creds;
}
diff --git a/src/tlshd/tlshd.h b/src/tlshd/tlshd.h
index 135e1e0..617d1c6 100644
--- a/src/tlshd/tlshd.h
+++ b/src/tlshd/tlshd.h
@@ -61,6 +61,7 @@ bool tlshd_config_get_client_certs(gnutls_pcert_st *certs,
unsigned int *certs_len);
bool tlshd_config_get_client_privkey(gnutls_privkey_t *privkey);
bool tlshd_config_get_server_truststore(char **bundle);
+bool tlshd_config_get_server_crl(char **bundle);
bool tlshd_config_get_server_certs(gnutls_pcert_st *certs,
unsigned int *certs_len);
bool tlshd_config_get_server_privkey(gnutls_privkey_t *privkey);
--
2.49.0
^ permalink raw reply related [flat|nested] 9+ messages in thread* [PATCH 2/3] Add client-side CRL checking
2025-06-11 7:09 [PATCH 0/3] Add CRL checking to server and client Rik Theys
2025-06-11 7:09 ` [PATCH 1/3] Add server-side CRL checking Rik Theys
@ 2025-06-11 7:09 ` Rik Theys
2025-06-11 7:09 ` [PATCH 3/3] Add x509.crl option to man page Rik Theys
2025-06-11 13:49 ` [PATCH 0/3] Add CRL checking to server and client Chuck Lever
3 siblings, 0 replies; 9+ messages in thread
From: Rik Theys @ 2025-06-11 7:09 UTC (permalink / raw)
To: kernel-tls-handshake; +Cc: Rik Theys
If an x509.crl option is specifiedin the authenticate.client
section of the configuration file, use it as a certificate
revocation list.
This commit only adds the check for tcp based TLS sessions.
Support for QUIC still needs to be added.
Signed-off-by: Rik Theys <Rik.Theys@gmail.com>
---
src/tlshd/client.c | 28 ++++++++++++++++++++++++++++
src/tlshd/config.c | 33 +++++++++++++++++++++++++++++++++
src/tlshd/tlshd.h | 1 +
3 files changed, 62 insertions(+)
diff --git a/src/tlshd/client.c b/src/tlshd/client.c
index 9c8f512..189452f 100644
--- a/src/tlshd/client.c
+++ b/src/tlshd/client.c
@@ -49,6 +49,7 @@ static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parm
gnutls_session_t session;
unsigned int flags;
char *cafile;
+ char *crlfile;
int ret;
ret = gnutls_certificate_allocate_credentials(&xcred);
@@ -77,6 +78,19 @@ static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parm
}
tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
+ if (tlshd_config_get_client_crl(&crlfile)) {
+ ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
+ GNUTLS_X509_FMT_PEM);
+ free(crlfile);
+ if (ret < 0 ) {
+ tlshd_log_gnutls_error(ret);
+ goto out_free_creds;
+ }
+ tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
+ } else {
+ tlshd_log_debug("System CRL: No CRL file configured.");
+ }
+
flags = GNUTLS_CLIENT;
ret = gnutls_init(&session, flags);
if (ret != GNUTLS_E_SUCCESS) {
@@ -275,6 +289,7 @@ static void tlshd_tls13_client_x509_handshake(struct tlshd_handshake_parms *parm
gnutls_session_t session;
unsigned int flags;
char *cafile;
+ char *crlfile;
int ret;
ret = gnutls_certificate_allocate_credentials(&xcred);
@@ -295,6 +310,19 @@ static void tlshd_tls13_client_x509_handshake(struct tlshd_handshake_parms *parm
}
tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
+ if (tlshd_config_get_client_crl(&crlfile)) {
+ ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
+ GNUTLS_X509_FMT_PEM);
+ free(crlfile);
+ if (ret < 0 ) {
+ tlshd_log_gnutls_error(ret);
+ goto out_free_creds;
+ }
+ tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
+ } else {
+ tlshd_log_debug("System CRL: No CRL file configured.");
+ }
+
if (!tlshd_x509_client_get_certs(parms))
goto out_free_creds;
if (!tlshd_x509_client_get_privkey(parms))
diff --git a/src/tlshd/config.c b/src/tlshd/config.c
index 1963116..7041fe9 100644
--- a/src/tlshd/config.c
+++ b/src/tlshd/config.c
@@ -212,6 +212,39 @@ bool tlshd_config_get_client_truststore(char **bundle)
return true;
}
+/**
+ * tlshd_config_get_client_crl - Get CRL for ClientHello from .conf
+ * @bundle: OUT: pathname to CRL
+ *
+ * Return values:
+ * %false: pathname not retrieved
+ * %true: pathname retrieved successfully; caller must free @bundle using free(3)
+ */
+bool tlshd_config_get_client_crl(char **bundle)
+{
+ GError *error = NULL;
+ gchar *pathname;
+
+ pathname = g_key_file_get_string(tlshd_configuration, "authenticate.client",
+ "x509.crl", &error);
+ if (!pathname) {
+ g_error_free(error);
+ return false;
+ } else if (access(pathname, F_OK)) {
+ tlshd_log_debug("client x509.crl pathname \"%s\" is not accessible", pathname);
+ g_free(pathname);
+ return false;
+ }
+
+ *bundle = strdup(pathname);
+ g_free(pathname);
+ if (!*bundle)
+ return false;
+
+ tlshd_log_debug("Client x.509 crl is %s", *bundle);
+ return true;
+}
+
/**
* tlshd_config_get_client_certs - Get certs for ClientHello from .conf
* @certs: OUT: in-memory certificates
diff --git a/src/tlshd/tlshd.h b/src/tlshd/tlshd.h
index 617d1c6..f674cae 100644
--- a/src/tlshd/tlshd.h
+++ b/src/tlshd/tlshd.h
@@ -57,6 +57,7 @@ extern void tlshd_quic_clienthello_handshake(struct tlshd_handshake_parms *parms
bool tlshd_config_init(const gchar *pathname);
void tlshd_config_shutdown(void);
bool tlshd_config_get_client_truststore(char **bundle);
+bool tlshd_config_get_client_crl(char **bundle);
bool tlshd_config_get_client_certs(gnutls_pcert_st *certs,
unsigned int *certs_len);
bool tlshd_config_get_client_privkey(gnutls_privkey_t *privkey);
--
2.49.0
^ permalink raw reply related [flat|nested] 9+ messages in thread* [PATCH 3/3] Add x509.crl option to man page.
2025-06-11 7:09 [PATCH 0/3] Add CRL checking to server and client Rik Theys
2025-06-11 7:09 ` [PATCH 1/3] Add server-side CRL checking Rik Theys
2025-06-11 7:09 ` [PATCH 2/3] Add client-side " Rik Theys
@ 2025-06-11 7:09 ` Rik Theys
2025-06-11 13:49 ` [PATCH 0/3] Add CRL checking to server and client Chuck Lever
3 siblings, 0 replies; 9+ messages in thread
From: Rik Theys @ 2025-06-11 7:09 UTC (permalink / raw)
To: kernel-tls-handshake; +Cc: Rik Theys
Update the man page to include the x509.crl option available
in the authenticate.server and authenticate.client section.
Signed-off-by: Rik Theys <Rik.Theys@gmail.com>
---
src/tlshd/tlshd.conf.man | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/tlshd/tlshd.conf.man b/src/tlshd/tlshd.conf.man
index 9d6d92f..745058a 100644
--- a/src/tlshd/tlshd.conf.man
+++ b/src/tlshd/tlshd.conf.man
@@ -94,7 +94,7 @@ and it consults the settings in the
.I [server]
subsection when handling the server end of a handshake.
.P
-In each of these two subsections, there are three available options:
+In each of these two subsections, there are four available options:
.TP
.B x509.truststore
This option specifies the pathname of a file containing a
@@ -104,6 +104,13 @@ If this option is not specified,
.B tlshd
uses the system's trust store.
.TP
+.B x509.crl
+This option specifies the pathname of a file containing a
+PEM-encoded certificate revocation list (CRL) that is to be
+used to verify the revocation status of a certificate during
+a handshake.
+If this option is not specified, no CRL checking takes place.
+.TP
.B x509.certificate
This option specifies the pathname of a file containing
a PEM-encoded x.509 certificate that is to be presented during
--
2.49.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH 0/3] Add CRL checking to server and client
2025-06-11 7:09 [PATCH 0/3] Add CRL checking to server and client Rik Theys
` (2 preceding siblings ...)
2025-06-11 7:09 ` [PATCH 3/3] Add x509.crl option to man page Rik Theys
@ 2025-06-11 13:49 ` Chuck Lever
2025-06-12 14:28 ` Long Xin
3 siblings, 1 reply; 9+ messages in thread
From: Chuck Lever @ 2025-06-11 13:49 UTC (permalink / raw)
To: Long Xin; +Cc: kernel-tls-handshake, Rik Theys
On 6/11/25 3:09 AM, Rik Theys wrote:
> These patches add CRL checking to the TLS client and server code.
>
> It introduces an x509.crl configuration option that specifies the
> location of a CRL in PEM format.
>
> The CRL (certificate revocation list) can be used by an administrator
> to block access to certificates that should no longer be trusted
> for some reason.
>
> See https://github.com/oracle/ktls-utils/issues/103
>
> Rik Theys (3):
> Add server-side CRL checking
> Add client-side CRL checking
> Add x509.crl option to man page.
>
> src/tlshd/client.c | 28 +++++++++++++++++
> src/tlshd/config.c | 66 ++++++++++++++++++++++++++++++++++++++++
> src/tlshd/server.c | 14 +++++++++
> src/tlshd/tlshd.conf.man | 9 +++++-
> src/tlshd/tlshd.h | 2 ++
> 5 files changed, 118 insertions(+), 1 deletion(-)
>
Also note that this will need a similar code change to the QUIC paths,
eventually.
--
Chuck Lever
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH 0/3] Add CRL checking to server and client
2025-06-11 13:49 ` [PATCH 0/3] Add CRL checking to server and client Chuck Lever
@ 2025-06-12 14:28 ` Long Xin
2025-06-16 14:39 ` Chuck Lever
0 siblings, 1 reply; 9+ messages in thread
From: Long Xin @ 2025-06-12 14:28 UTC (permalink / raw)
To: Chuck Lever; +Cc: kernel-tls-handshake, Rik Theys
On Wed, Jun 11, 2025 at 9:49 AM Chuck Lever <chuck.lever@oracle.com> wrote:
>
> On 6/11/25 3:09 AM, Rik Theys wrote:
> > These patches add CRL checking to the TLS client and server code.
> >
> > It introduces an x509.crl configuration option that specifies the
> > location of a CRL in PEM format.
> >
> > The CRL (certificate revocation list) can be used by an administrator
> > to block access to certificates that should no longer be trusted
> > for some reason.
> >
> > See https://github.com/oracle/ktls-utils/issues/103
> >
> > Rik Theys (3):
> > Add server-side CRL checking
> > Add client-side CRL checking
> > Add x509.crl option to man page.
> >
> > src/tlshd/client.c | 28 +++++++++++++++++
> > src/tlshd/config.c | 66 ++++++++++++++++++++++++++++++++++++++++
> > src/tlshd/server.c | 14 +++++++++
> > src/tlshd/tlshd.conf.man | 9 +++++-
> > src/tlshd/tlshd.h | 2 ++
> > 5 files changed, 118 insertions(+), 1 deletion(-)
> >
>
> Also note that this will need a similar code change to the QUIC paths,
> eventually.
>
Yes, there's no difference for the certificate credentials
configuration for QUIC.
I think it will be nice to have a function like:
static int tlshd_server_configure_credentials(gnutls_certificate_credentials_t
xcred)
{
char *crlfile;
char *cafile;
int ret;
if (tlshd_config_get_server_truststore(&cafile)) {
ret = gnutls_certificate_set_x509_trust_file(xcred, cafile,
GNUTLS_X509_FMT_PEM);
free(cafile);
} else
ret = gnutls_certificate_set_x509_system_trust(xcred);
if (ret < 0)
return ret;
tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
if (tlshd_config_get_server_crl(&crlfile)) {
ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
GNUTLS_X509_FMT_PEM);
free(crlfile);
if (ret < 0 )
return ret;
tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
} else {
tlshd_log_debug("System CRL: No CRL file configured.");
}
gnutls_certificate_set_retrieve_function2(xcred,
tlshd_x509_retrieve_key_cb);
return GNUTLS_E_SUCCESS;
}
then use it in both tlshd_tls13/quic_server_x509_handshake().
and do the same thing in client.c.
Thanks.
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH 0/3] Add CRL checking to server and client
2025-06-12 14:28 ` Long Xin
@ 2025-06-16 14:39 ` Chuck Lever
2025-06-17 5:22 ` Rik Theys
0 siblings, 1 reply; 9+ messages in thread
From: Chuck Lever @ 2025-06-16 14:39 UTC (permalink / raw)
To: Rik Theys; +Cc: kernel-tls-handshake, Long Xin
On 6/12/25 10:28 AM, Long Xin wrote:
> On Wed, Jun 11, 2025 at 9:49 AM Chuck Lever <chuck.lever@oracle.com> wrote:
>>
>> On 6/11/25 3:09 AM, Rik Theys wrote:
>>> These patches add CRL checking to the TLS client and server code.
>>>
>>> It introduces an x509.crl configuration option that specifies the
>>> location of a CRL in PEM format.
>>>
>>> The CRL (certificate revocation list) can be used by an administrator
>>> to block access to certificates that should no longer be trusted
>>> for some reason.
>>>
>>> See https://github.com/oracle/ktls-utils/issues/103
>>>
>>> Rik Theys (3):
>>> Add server-side CRL checking
>>> Add client-side CRL checking
>>> Add x509.crl option to man page.
>>>
>>> src/tlshd/client.c | 28 +++++++++++++++++
>>> src/tlshd/config.c | 66 ++++++++++++++++++++++++++++++++++++++++
>>> src/tlshd/server.c | 14 +++++++++
>>> src/tlshd/tlshd.conf.man | 9 +++++-
>>> src/tlshd/tlshd.h | 2 ++
>>> 5 files changed, 118 insertions(+), 1 deletion(-)
>>>
>>
>> Also note that this will need a similar code change to the QUIC paths,
>> eventually.
>>
> Yes, there's no difference for the certificate credentials
> configuration for QUIC.
>
> I think it will be nice to have a function like:
>
> static int tlshd_server_configure_credentials(gnutls_certificate_credentials_t
> xcred)
> {
> char *crlfile;
> char *cafile;
> int ret;
>
> if (tlshd_config_get_server_truststore(&cafile)) {
> ret = gnutls_certificate_set_x509_trust_file(xcred, cafile,
>
> GNUTLS_X509_FMT_PEM);
> free(cafile);
> } else
> ret = gnutls_certificate_set_x509_system_trust(xcred);
> if (ret < 0)
> return ret;
> tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
>
> if (tlshd_config_get_server_crl(&crlfile)) {
> ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
> GNUTLS_X509_FMT_PEM);
> free(crlfile);
> if (ret < 0 )
> return ret;
> tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
> } else {
> tlshd_log_debug("System CRL: No CRL file configured.");
> }
>
> gnutls_certificate_set_retrieve_function2(xcred,
> tlshd_x509_retrieve_key_cb);
> return GNUTLS_E_SUCCESS;
> }
>
> then use it in both tlshd_tls13/quic_server_x509_handshake().
> and do the same thing in client.c.
>
> Thanks.
Rik, do you want to take a crack at the suggested code re-organization,
or do you want me to just take your series as-is and fix it up? Either
way is fine with me.
--
Chuck Lever
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH 0/3] Add CRL checking to server and client
2025-06-16 14:39 ` Chuck Lever
@ 2025-06-17 5:22 ` Rik Theys
2025-06-18 12:37 ` Chuck Lever
0 siblings, 1 reply; 9+ messages in thread
From: Rik Theys @ 2025-06-17 5:22 UTC (permalink / raw)
To: Chuck Lever; +Cc: kernel-tls-handshake, Long Xin
Hi,
On Mon, Jun 16, 2025 at 4:40 PM Chuck Lever <chuck.lever@oracle.com> wrote:
>
> On 6/12/25 10:28 AM, Long Xin wrote:
> > On Wed, Jun 11, 2025 at 9:49 AM Chuck Lever <chuck.lever@oracle.com> wrote:
> >>
> >> On 6/11/25 3:09 AM, Rik Theys wrote:
> >>> These patches add CRL checking to the TLS client and server code.
> >>>
> >>> It introduces an x509.crl configuration option that specifies the
> >>> location of a CRL in PEM format.
> >>>
> >>> The CRL (certificate revocation list) can be used by an administrator
> >>> to block access to certificates that should no longer be trusted
> >>> for some reason.
> >>>
> >>> See https://github.com/oracle/ktls-utils/issues/103
> >>>
> >>> Rik Theys (3):
> >>> Add server-side CRL checking
> >>> Add client-side CRL checking
> >>> Add x509.crl option to man page.
> >>>
> >>> src/tlshd/client.c | 28 +++++++++++++++++
> >>> src/tlshd/config.c | 66 ++++++++++++++++++++++++++++++++++++++++
> >>> src/tlshd/server.c | 14 +++++++++
> >>> src/tlshd/tlshd.conf.man | 9 +++++-
> >>> src/tlshd/tlshd.h | 2 ++
> >>> 5 files changed, 118 insertions(+), 1 deletion(-)
> >>>
> >>
> >> Also note that this will need a similar code change to the QUIC paths,
> >> eventually.
> >>
> > Yes, there's no difference for the certificate credentials
> > configuration for QUIC.
> >
> > I think it will be nice to have a function like:
> >
> > static int tlshd_server_configure_credentials(gnutls_certificate_credentials_t
> > xcred)
> > {
> > char *crlfile;
> > char *cafile;
> > int ret;
> >
> > if (tlshd_config_get_server_truststore(&cafile)) {
> > ret = gnutls_certificate_set_x509_trust_file(xcred, cafile,
> >
> > GNUTLS_X509_FMT_PEM);
> > free(cafile);
> > } else
> > ret = gnutls_certificate_set_x509_system_trust(xcred);
> > if (ret < 0)
> > return ret;
> > tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
> >
> > if (tlshd_config_get_server_crl(&crlfile)) {
> > ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
> > GNUTLS_X509_FMT_PEM);
> > free(crlfile);
> > if (ret < 0 )
> > return ret;
> > tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
> > } else {
> > tlshd_log_debug("System CRL: No CRL file configured.");
> > }
> >
> > gnutls_certificate_set_retrieve_function2(xcred,
> > tlshd_x509_retrieve_key_cb);
> > return GNUTLS_E_SUCCESS;
> > }
> >
> > then use it in both tlshd_tls13/quic_server_x509_handshake().
> > and do the same thing in client.c.
> >
> > Thanks.
>
> Rik, do you want to take a crack at the suggested code re-organization,
> or do you want me to just take your series as-is and fix it up? Either
> way is fine with me.
This week is a very busy week for me. I can look into it next week.
Feel free to take the series and fix it up as you've suggested.
Regards,
Rik
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH 0/3] Add CRL checking to server and client
2025-06-17 5:22 ` Rik Theys
@ 2025-06-18 12:37 ` Chuck Lever
0 siblings, 0 replies; 9+ messages in thread
From: Chuck Lever @ 2025-06-18 12:37 UTC (permalink / raw)
To: Rik Theys; +Cc: kernel-tls-handshake, Long Xin
On 6/17/25 1:22 AM, Rik Theys wrote:
> Hi,
>
> On Mon, Jun 16, 2025 at 4:40 PM Chuck Lever <chuck.lever@oracle.com> wrote:
>>
>> On 6/12/25 10:28 AM, Long Xin wrote:
>>> On Wed, Jun 11, 2025 at 9:49 AM Chuck Lever <chuck.lever@oracle.com> wrote:
>>>>
>>>> On 6/11/25 3:09 AM, Rik Theys wrote:
>>>>> These patches add CRL checking to the TLS client and server code.
>>>>>
>>>>> It introduces an x509.crl configuration option that specifies the
>>>>> location of a CRL in PEM format.
>>>>>
>>>>> The CRL (certificate revocation list) can be used by an administrator
>>>>> to block access to certificates that should no longer be trusted
>>>>> for some reason.
>>>>>
>>>>> See https://github.com/oracle/ktls-utils/issues/103
>>>>>
>>>>> Rik Theys (3):
>>>>> Add server-side CRL checking
>>>>> Add client-side CRL checking
>>>>> Add x509.crl option to man page.
>>>>>
>>>>> src/tlshd/client.c | 28 +++++++++++++++++
>>>>> src/tlshd/config.c | 66 ++++++++++++++++++++++++++++++++++++++++
>>>>> src/tlshd/server.c | 14 +++++++++
>>>>> src/tlshd/tlshd.conf.man | 9 +++++-
>>>>> src/tlshd/tlshd.h | 2 ++
>>>>> 5 files changed, 118 insertions(+), 1 deletion(-)
>>>>>
>>>>
>>>> Also note that this will need a similar code change to the QUIC paths,
>>>> eventually.
>>>>
>>> Yes, there's no difference for the certificate credentials
>>> configuration for QUIC.
>>>
>>> I think it will be nice to have a function like:
>>>
>>> static int tlshd_server_configure_credentials(gnutls_certificate_credentials_t
>>> xcred)
>>> {
>>> char *crlfile;
>>> char *cafile;
>>> int ret;
>>>
>>> if (tlshd_config_get_server_truststore(&cafile)) {
>>> ret = gnutls_certificate_set_x509_trust_file(xcred, cafile,
>>>
>>> GNUTLS_X509_FMT_PEM);
>>> free(cafile);
>>> } else
>>> ret = gnutls_certificate_set_x509_system_trust(xcred);
>>> if (ret < 0)
>>> return ret;
>>> tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
>>>
>>> if (tlshd_config_get_server_crl(&crlfile)) {
>>> ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
>>> GNUTLS_X509_FMT_PEM);
>>> free(crlfile);
>>> if (ret < 0 )
>>> return ret;
>>> tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
>>> } else {
>>> tlshd_log_debug("System CRL: No CRL file configured.");
>>> }
>>>
>>> gnutls_certificate_set_retrieve_function2(xcred,
>>> tlshd_x509_retrieve_key_cb);
>>> return GNUTLS_E_SUCCESS;
>>> }
>>>
>>> then use it in both tlshd_tls13/quic_server_x509_handshake().
>>> and do the same thing in client.c.
>>>
>>> Thanks.
>>
>> Rik, do you want to take a crack at the suggested code re-organization,
>> or do you want me to just take your series as-is and fix it up? Either
>> way is fine with me.
>
> This week is a very busy week for me. I can look into it next week.
>
> Feel free to take the series and fix it up as you've suggested.
I'll take it as-is and fix it up. Thanks for your contribution and
patience.
--
Chuck Lever
^ permalink raw reply [flat|nested] 9+ messages in thread