[PATCH 0/3] Add CRL checking to server and client

[PATCH 0/3] Add CRL checking to server and client

[Rik Theys]

These patches add CRL checking to the TLS client and server code.

It introduces an x509.crl configuration option that specifies the
location of a CRL in PEM format.

The CRL (certificate revocation list) can be used by an administrator
to block access to certificates that should no longer be trusted
for some reason.

See https://github.com/oracle/ktls-utils/issues/103

Rik Theys (3):
  Add server-side CRL checking
  Add client-side CRL checking
  Add x509.crl option to man page.

 src/tlshd/client.c       | 28 +++++++++++++++++
 src/tlshd/config.c       | 66 ++++++++++++++++++++++++++++++++++++++++
 src/tlshd/server.c       | 14 +++++++++
 src/tlshd/tlshd.conf.man |  9 +++++-
 src/tlshd/tlshd.h        |  2 ++
 5 files changed, 118 insertions(+), 1 deletion(-)

-- 
2.49.0

[PATCH 1/3] Add server-side CRL checking

[Rik Theys]

If an x509.crl option is specified in the authenticate.server
section of the configuration file, use it as a certificate
revocation list.

Signed-off-by: Rik Theys <Rik.Theys@gmail.com>
---
 src/tlshd/config.c | 33 +++++++++++++++++++++++++++++++++
 src/tlshd/server.c | 14 ++++++++++++++
 src/tlshd/tlshd.h  |  1 +
 3 files changed, 48 insertions(+)

diff --git a/src/tlshd/config.c b/src/tlshd/config.c
index be5d472..1963116 100644
--- a/src/tlshd/config.c
+++ b/src/tlshd/config.c
@@ -350,6 +350,39 @@ bool tlshd_config_get_server_truststore(char **bundle)
 	return true;
 }
 
+/**
+ * tlshd_config_get_server_crl - Get CRL for ServerHello from .conf
+ * @bundle: OUT: pathname to CRL
+ *
+ * Return values:
+ *   %false: pathname not retrieved
+ *   %true: pathname retrieved successfully; caller must free @bundle using free(3)
+ */
+bool tlshd_config_get_server_crl(char **bundle)
+{
+	GError *error = NULL;
+	gchar *pathname;
+
+	pathname = g_key_file_get_string(tlshd_configuration, "authenticate.server",
+					 "x509.crl", &error);
+	if (!pathname) {
+		g_error_free(error);
+		return false;
+	} else if (access(pathname, F_OK)) {
+		tlshd_log_debug("server x509.crl pathname \"%s\" is not accessible", pathname);
+		g_free(pathname);
+		return false;
+	}
+
+	*bundle = strdup(pathname);
+	g_free(pathname);
+	if (!*bundle)
+		return false;
+
+	tlshd_log_debug("Server x.509 crl is %s", *bundle);
+	return true;
+}
+
 /**
  * tlshd_config_get_server_certs - Get certs for ServerHello from .conf
  * @certs: OUT: in-memory certificates
diff --git a/src/tlshd/server.c b/src/tlshd/server.c
index 72ff6f5..bf4b740 100644
--- a/src/tlshd/server.c
+++ b/src/tlshd/server.c
@@ -219,6 +219,7 @@ static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parm
 	gnutls_certificate_credentials_t xcred;
 	gnutls_session_t session;
 	char *cafile;
+	char *crlfile;
 	int ret;
 
 	ret = gnutls_certificate_allocate_credentials(&xcred);
@@ -239,6 +240,19 @@ static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parm
 	}
 	tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
 
+	if (tlshd_config_get_server_crl(&crlfile)) {
+		ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
+							   GNUTLS_X509_FMT_PEM);
+		free(crlfile);
+		if (ret < 0 ) {
+			tlshd_log_gnutls_error(ret);
+			goto out_free_creds;
+		}
+		tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
+	} else {
+		tlshd_log_debug("System CRL: No CRL file configured.");
+	}
+
 	if (!tlshd_x509_server_get_certs(parms)) {
 		goto out_free_creds;
 	}
diff --git a/src/tlshd/tlshd.h b/src/tlshd/tlshd.h
index 135e1e0..617d1c6 100644
--- a/src/tlshd/tlshd.h
+++ b/src/tlshd/tlshd.h
@@ -61,6 +61,7 @@ bool tlshd_config_get_client_certs(gnutls_pcert_st *certs,
 				   unsigned int *certs_len);
 bool tlshd_config_get_client_privkey(gnutls_privkey_t *privkey);
 bool tlshd_config_get_server_truststore(char **bundle);
+bool tlshd_config_get_server_crl(char **bundle);
 bool tlshd_config_get_server_certs(gnutls_pcert_st *certs,
 				   unsigned int *certs_len);
 bool tlshd_config_get_server_privkey(gnutls_privkey_t *privkey);
-- 
2.49.0

[PATCH 2/3] Add client-side CRL checking

[Rik Theys]

If an x509.crl option is specifiedin the authenticate.client
section of the configuration file, use it as a certificate
revocation list.

This commit only adds the check for tcp based TLS sessions.
Support for QUIC still needs to be added.

Signed-off-by: Rik Theys <Rik.Theys@gmail.com>
---
 src/tlshd/client.c | 28 ++++++++++++++++++++++++++++
 src/tlshd/config.c | 33 +++++++++++++++++++++++++++++++++
 src/tlshd/tlshd.h  |  1 +
 3 files changed, 62 insertions(+)

diff --git a/src/tlshd/client.c b/src/tlshd/client.c
index 9c8f512..189452f 100644
--- a/src/tlshd/client.c
+++ b/src/tlshd/client.c
@@ -49,6 +49,7 @@ static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parm
 	gnutls_session_t session;
 	unsigned int flags;
 	char *cafile;
+	char *crlfile;
 	int ret;
 
 	ret = gnutls_certificate_allocate_credentials(&xcred);
@@ -77,6 +78,19 @@ static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parm
 	}
 	tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
 
+	if (tlshd_config_get_client_crl(&crlfile)) {
+		ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
+							   GNUTLS_X509_FMT_PEM);
+		free(crlfile);
+		if (ret < 0 ) {
+			tlshd_log_gnutls_error(ret);
+			goto out_free_creds;
+		}
+		tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
+	} else {
+		tlshd_log_debug("System CRL: No CRL file configured.");
+	}
+
 	flags = GNUTLS_CLIENT;
 	ret = gnutls_init(&session, flags);
 	if (ret != GNUTLS_E_SUCCESS) {
@@ -275,6 +289,7 @@ static void tlshd_tls13_client_x509_handshake(struct tlshd_handshake_parms *parm
 	gnutls_session_t session;
 	unsigned int flags;
 	char *cafile;
+	char *crlfile;
 	int ret;
 
 	ret = gnutls_certificate_allocate_credentials(&xcred);
@@ -295,6 +310,19 @@ static void tlshd_tls13_client_x509_handshake(struct tlshd_handshake_parms *parm
 	}
 	tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
 
+	if (tlshd_config_get_client_crl(&crlfile)) {
+		ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
+							   GNUTLS_X509_FMT_PEM);
+		free(crlfile);
+		if (ret < 0 ) {
+			tlshd_log_gnutls_error(ret);
+			goto out_free_creds;
+		}
+		tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
+	} else {
+		tlshd_log_debug("System CRL: No CRL file configured.");
+	}
+
 	if (!tlshd_x509_client_get_certs(parms))
 		goto out_free_creds;
 	if (!tlshd_x509_client_get_privkey(parms))
diff --git a/src/tlshd/config.c b/src/tlshd/config.c
index 1963116..7041fe9 100644
--- a/src/tlshd/config.c
+++ b/src/tlshd/config.c
@@ -212,6 +212,39 @@ bool tlshd_config_get_client_truststore(char **bundle)
 	return true;
 }
 
+/**
+ * tlshd_config_get_client_crl - Get CRL for ClientHello from .conf
+ * @bundle: OUT: pathname to CRL
+ *
+ * Return values:
+ *   %false: pathname not retrieved
+ *   %true: pathname retrieved successfully; caller must free @bundle using free(3)
+ */
+bool tlshd_config_get_client_crl(char **bundle)
+{
+	GError *error = NULL;
+	gchar *pathname;
+
+	pathname = g_key_file_get_string(tlshd_configuration, "authenticate.client",
+					 "x509.crl", &error);
+	if (!pathname) {
+		g_error_free(error);
+		return false;
+	} else if (access(pathname, F_OK)) {
+		tlshd_log_debug("client x509.crl pathname \"%s\" is not accessible", pathname);
+		g_free(pathname);
+		return false;
+	}
+
+	*bundle = strdup(pathname);
+	g_free(pathname);
+	if (!*bundle)
+		return false;
+
+	tlshd_log_debug("Client x.509 crl is %s", *bundle);
+	return true;
+}
+
 /**
  * tlshd_config_get_client_certs - Get certs for ClientHello from .conf
  * @certs: OUT: in-memory certificates
diff --git a/src/tlshd/tlshd.h b/src/tlshd/tlshd.h
index 617d1c6..f674cae 100644
--- a/src/tlshd/tlshd.h
+++ b/src/tlshd/tlshd.h
@@ -57,6 +57,7 @@ extern void tlshd_quic_clienthello_handshake(struct tlshd_handshake_parms *parms
 bool tlshd_config_init(const gchar *pathname);
 void tlshd_config_shutdown(void);
 bool tlshd_config_get_client_truststore(char **bundle);
+bool tlshd_config_get_client_crl(char **bundle);
 bool tlshd_config_get_client_certs(gnutls_pcert_st *certs,
 				   unsigned int *certs_len);
 bool tlshd_config_get_client_privkey(gnutls_privkey_t *privkey);
-- 
2.49.0

[PATCH 3/3] Add x509.crl option to man page.

[Rik Theys]

Update the man page to include the x509.crl option available
in the authenticate.server and authenticate.client section.

Signed-off-by: Rik Theys <Rik.Theys@gmail.com>
---
 src/tlshd/tlshd.conf.man | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/tlshd/tlshd.conf.man b/src/tlshd/tlshd.conf.man
index 9d6d92f..745058a 100644
--- a/src/tlshd/tlshd.conf.man
+++ b/src/tlshd/tlshd.conf.man
@@ -94,7 +94,7 @@ and it consults the settings in the
 .I [server]
 subsection when handling the server end of a handshake.
 .P
-In each of these two subsections, there are three available options:
+In each of these two subsections, there are four available options:
 .TP
 .B x509.truststore
 This option specifies the pathname of a file containing a
@@ -104,6 +104,13 @@ If this option is not specified,
 .B tlshd
 uses the system's trust store.
 .TP
+.B x509.crl
+This option specifies the pathname of a file containing a
+PEM-encoded certificate revocation list (CRL) that is to be
+used to verify the revocation status of a certificate during
+a handshake.
+If this option is not specified, no CRL checking takes place.
+.TP
 .B x509.certificate
 This option specifies the pathname of a file containing
 a PEM-encoded x.509 certificate that is to be presented during
-- 
2.49.0

Re: [PATCH 0/3] Add CRL checking to server and client

[Chuck Lever]

On 6/11/25 3:09 AM, Rik Theys wrote:
> These patches add CRL checking to the TLS client and server code.
> 
> It introduces an x509.crl configuration option that specifies the
> location of a CRL in PEM format.
> 
> The CRL (certificate revocation list) can be used by an administrator
> to block access to certificates that should no longer be trusted
> for some reason.
> 
> See https://github.com/oracle/ktls-utils/issues/103
> 
> Rik Theys (3):
>   Add server-side CRL checking
>   Add client-side CRL checking
>   Add x509.crl option to man page.
> 
>  src/tlshd/client.c       | 28 +++++++++++++++++
>  src/tlshd/config.c       | 66 ++++++++++++++++++++++++++++++++++++++++
>  src/tlshd/server.c       | 14 +++++++++
>  src/tlshd/tlshd.conf.man |  9 +++++-
>  src/tlshd/tlshd.h        |  2 ++
>  5 files changed, 118 insertions(+), 1 deletion(-)
> 

Also note that this will need a similar code change to the QUIC paths,
eventually.

-- 
Chuck Lever

Re: [PATCH 0/3] Add CRL checking to server and client

[Long Xin]

On Wed, Jun 11, 2025 at 9:49 AM Chuck Lever <chuck.lever@oracle.com> wrote:
>
> On 6/11/25 3:09 AM, Rik Theys wrote:
> > These patches add CRL checking to the TLS client and server code.
> >
> > It introduces an x509.crl configuration option that specifies the
> > location of a CRL in PEM format.
> >
> > The CRL (certificate revocation list) can be used by an administrator
> > to block access to certificates that should no longer be trusted
> > for some reason.
> >
> > See https://github.com/oracle/ktls-utils/issues/103
> >
> > Rik Theys (3):
> >   Add server-side CRL checking
> >   Add client-side CRL checking
> >   Add x509.crl option to man page.
> >
> >  src/tlshd/client.c       | 28 +++++++++++++++++
> >  src/tlshd/config.c       | 66 ++++++++++++++++++++++++++++++++++++++++
> >  src/tlshd/server.c       | 14 +++++++++
> >  src/tlshd/tlshd.conf.man |  9 +++++-
> >  src/tlshd/tlshd.h        |  2 ++
> >  5 files changed, 118 insertions(+), 1 deletion(-)
> >
>
> Also note that this will need a similar code change to the QUIC paths,
> eventually.
>
Yes, there's no difference for the certificate credentials
configuration for QUIC.

I think it will be nice to have a function like:

static int tlshd_server_configure_credentials(gnutls_certificate_credentials_t
xcred)
{
        char *crlfile;
        char *cafile;
        int ret;

        if (tlshd_config_get_server_truststore(&cafile)) {
                ret = gnutls_certificate_set_x509_trust_file(xcred, cafile,

GNUTLS_X509_FMT_PEM);
                free(cafile);
        } else
                ret = gnutls_certificate_set_x509_system_trust(xcred);
        if (ret < 0)
                return ret;
        tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);

        if (tlshd_config_get_server_crl(&crlfile)) {
                ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
                                                           GNUTLS_X509_FMT_PEM);
                free(crlfile);
                if (ret < 0 )
                        return ret;
                tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
        } else {
                tlshd_log_debug("System CRL: No CRL file configured.");
        }

        gnutls_certificate_set_retrieve_function2(xcred,
                                                  tlshd_x509_retrieve_key_cb);
        return GNUTLS_E_SUCCESS;
}

then use it in both tlshd_tls13/quic_server_x509_handshake().
and do the same thing in client.c.

Thanks.

Re: [PATCH 0/3] Add CRL checking to server and client

[Chuck Lever]

On 6/12/25 10:28 AM, Long Xin wrote:
> On Wed, Jun 11, 2025 at 9:49 AM Chuck Lever <chuck.lever@oracle.com> wrote:
>>
>> On 6/11/25 3:09 AM, Rik Theys wrote:
>>> These patches add CRL checking to the TLS client and server code.
>>>
>>> It introduces an x509.crl configuration option that specifies the
>>> location of a CRL in PEM format.
>>>
>>> The CRL (certificate revocation list) can be used by an administrator
>>> to block access to certificates that should no longer be trusted
>>> for some reason.
>>>
>>> See https://github.com/oracle/ktls-utils/issues/103
>>>
>>> Rik Theys (3):
>>>   Add server-side CRL checking
>>>   Add client-side CRL checking
>>>   Add x509.crl option to man page.
>>>
>>>  src/tlshd/client.c       | 28 +++++++++++++++++
>>>  src/tlshd/config.c       | 66 ++++++++++++++++++++++++++++++++++++++++
>>>  src/tlshd/server.c       | 14 +++++++++
>>>  src/tlshd/tlshd.conf.man |  9 +++++-
>>>  src/tlshd/tlshd.h        |  2 ++
>>>  5 files changed, 118 insertions(+), 1 deletion(-)
>>>
>>
>> Also note that this will need a similar code change to the QUIC paths,
>> eventually.
>>
> Yes, there's no difference for the certificate credentials
> configuration for QUIC.
> 
> I think it will be nice to have a function like:
> 
> static int tlshd_server_configure_credentials(gnutls_certificate_credentials_t
> xcred)
> {
>         char *crlfile;
>         char *cafile;
>         int ret;
> 
>         if (tlshd_config_get_server_truststore(&cafile)) {
>                 ret = gnutls_certificate_set_x509_trust_file(xcred, cafile,
> 
> GNUTLS_X509_FMT_PEM);
>                 free(cafile);
>         } else
>                 ret = gnutls_certificate_set_x509_system_trust(xcred);
>         if (ret < 0)
>                 return ret;
>         tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
> 
>         if (tlshd_config_get_server_crl(&crlfile)) {
>                 ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
>                                                            GNUTLS_X509_FMT_PEM);
>                 free(crlfile);
>                 if (ret < 0 )
>                         return ret;
>                 tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
>         } else {
>                 tlshd_log_debug("System CRL: No CRL file configured.");
>         }
> 
>         gnutls_certificate_set_retrieve_function2(xcred,
>                                                   tlshd_x509_retrieve_key_cb);
>         return GNUTLS_E_SUCCESS;
> }
> 
> then use it in both tlshd_tls13/quic_server_x509_handshake().
> and do the same thing in client.c.
> 
> Thanks.

Rik, do you want to take a crack at the suggested code re-organization,
or do you want me to just take your series as-is and fix it up? Either
way is fine with me.


-- 
Chuck Lever

Re: [PATCH 0/3] Add CRL checking to server and client

[Rik Theys]

Hi,

On Mon, Jun 16, 2025 at 4:40 PM Chuck Lever <chuck.lever@oracle.com> wrote:
>
> On 6/12/25 10:28 AM, Long Xin wrote:
> > On Wed, Jun 11, 2025 at 9:49 AM Chuck Lever <chuck.lever@oracle.com> wrote:
> >>
> >> On 6/11/25 3:09 AM, Rik Theys wrote:
> >>> These patches add CRL checking to the TLS client and server code.
> >>>
> >>> It introduces an x509.crl configuration option that specifies the
> >>> location of a CRL in PEM format.
> >>>
> >>> The CRL (certificate revocation list) can be used by an administrator
> >>> to block access to certificates that should no longer be trusted
> >>> for some reason.
> >>>
> >>> See https://github.com/oracle/ktls-utils/issues/103
> >>>
> >>> Rik Theys (3):
> >>>   Add server-side CRL checking
> >>>   Add client-side CRL checking
> >>>   Add x509.crl option to man page.
> >>>
> >>>  src/tlshd/client.c       | 28 +++++++++++++++++
> >>>  src/tlshd/config.c       | 66 ++++++++++++++++++++++++++++++++++++++++
> >>>  src/tlshd/server.c       | 14 +++++++++
> >>>  src/tlshd/tlshd.conf.man |  9 +++++-
> >>>  src/tlshd/tlshd.h        |  2 ++
> >>>  5 files changed, 118 insertions(+), 1 deletion(-)
> >>>
> >>
> >> Also note that this will need a similar code change to the QUIC paths,
> >> eventually.
> >>
> > Yes, there's no difference for the certificate credentials
> > configuration for QUIC.
> >
> > I think it will be nice to have a function like:
> >
> > static int tlshd_server_configure_credentials(gnutls_certificate_credentials_t
> > xcred)
> > {
> >         char *crlfile;
> >         char *cafile;
> >         int ret;
> >
> >         if (tlshd_config_get_server_truststore(&cafile)) {
> >                 ret = gnutls_certificate_set_x509_trust_file(xcred, cafile,
> >
> > GNUTLS_X509_FMT_PEM);
> >                 free(cafile);
> >         } else
> >                 ret = gnutls_certificate_set_x509_system_trust(xcred);
> >         if (ret < 0)
> >                 return ret;
> >         tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
> >
> >         if (tlshd_config_get_server_crl(&crlfile)) {
> >                 ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
> >                                                            GNUTLS_X509_FMT_PEM);
> >                 free(crlfile);
> >                 if (ret < 0 )
> >                         return ret;
> >                 tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
> >         } else {
> >                 tlshd_log_debug("System CRL: No CRL file configured.");
> >         }
> >
> >         gnutls_certificate_set_retrieve_function2(xcred,
> >                                                   tlshd_x509_retrieve_key_cb);
> >         return GNUTLS_E_SUCCESS;
> > }
> >
> > then use it in both tlshd_tls13/quic_server_x509_handshake().
> > and do the same thing in client.c.
> >
> > Thanks.
>
> Rik, do you want to take a crack at the suggested code re-organization,
> or do you want me to just take your series as-is and fix it up? Either
> way is fine with me.

This week is a very busy week for me. I can look into it next week.

Feel free to take the series and fix it up as you've suggested.

Regards,
Rik

Re: [PATCH 0/3] Add CRL checking to server and client

[Chuck Lever]

On 6/17/25 1:22 AM, Rik Theys wrote:
> Hi,
> 
> On Mon, Jun 16, 2025 at 4:40 PM Chuck Lever <chuck.lever@oracle.com> wrote:
>>
>> On 6/12/25 10:28 AM, Long Xin wrote:
>>> On Wed, Jun 11, 2025 at 9:49 AM Chuck Lever <chuck.lever@oracle.com> wrote:
>>>>
>>>> On 6/11/25 3:09 AM, Rik Theys wrote:
>>>>> These patches add CRL checking to the TLS client and server code.
>>>>>
>>>>> It introduces an x509.crl configuration option that specifies the
>>>>> location of a CRL in PEM format.
>>>>>
>>>>> The CRL (certificate revocation list) can be used by an administrator
>>>>> to block access to certificates that should no longer be trusted
>>>>> for some reason.
>>>>>
>>>>> See https://github.com/oracle/ktls-utils/issues/103
>>>>>
>>>>> Rik Theys (3):
>>>>>   Add server-side CRL checking
>>>>>   Add client-side CRL checking
>>>>>   Add x509.crl option to man page.
>>>>>
>>>>>  src/tlshd/client.c       | 28 +++++++++++++++++
>>>>>  src/tlshd/config.c       | 66 ++++++++++++++++++++++++++++++++++++++++
>>>>>  src/tlshd/server.c       | 14 +++++++++
>>>>>  src/tlshd/tlshd.conf.man |  9 +++++-
>>>>>  src/tlshd/tlshd.h        |  2 ++
>>>>>  5 files changed, 118 insertions(+), 1 deletion(-)
>>>>>
>>>>
>>>> Also note that this will need a similar code change to the QUIC paths,
>>>> eventually.
>>>>
>>> Yes, there's no difference for the certificate credentials
>>> configuration for QUIC.
>>>
>>> I think it will be nice to have a function like:
>>>
>>> static int tlshd_server_configure_credentials(gnutls_certificate_credentials_t
>>> xcred)
>>> {
>>>         char *crlfile;
>>>         char *cafile;
>>>         int ret;
>>>
>>>         if (tlshd_config_get_server_truststore(&cafile)) {
>>>                 ret = gnutls_certificate_set_x509_trust_file(xcred, cafile,
>>>
>>> GNUTLS_X509_FMT_PEM);
>>>                 free(cafile);
>>>         } else
>>>                 ret = gnutls_certificate_set_x509_system_trust(xcred);
>>>         if (ret < 0)
>>>                 return ret;
>>>         tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
>>>
>>>         if (tlshd_config_get_server_crl(&crlfile)) {
>>>                 ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
>>>                                                            GNUTLS_X509_FMT_PEM);
>>>                 free(crlfile);
>>>                 if (ret < 0 )
>>>                         return ret;
>>>                 tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
>>>         } else {
>>>                 tlshd_log_debug("System CRL: No CRL file configured.");
>>>         }
>>>
>>>         gnutls_certificate_set_retrieve_function2(xcred,
>>>                                                   tlshd_x509_retrieve_key_cb);
>>>         return GNUTLS_E_SUCCESS;
>>> }
>>>
>>> then use it in both tlshd_tls13/quic_server_x509_handshake().
>>> and do the same thing in client.c.
>>>
>>> Thanks.
>>
>> Rik, do you want to take a crack at the suggested code re-organization,
>> or do you want me to just take your series as-is and fix it up? Either
>> way is fine with me.
> 
> This week is a very busy week for me. I can look into it next week.
> 
> Feel free to take the series and fix it up as you've suggested.

I'll take it as-is and fix it up. Thanks for your contribution and
patience.


-- 
Chuck Lever