Re: [PATCH 0/3] Add CRL checking to server and client

[Chuck Lever <chuck.lever@oracle.com>]

On 6/17/25 1:22 AM, Rik Theys wrote:
> Hi,
> 
> On Mon, Jun 16, 2025 at 4:40 PM Chuck Lever <chuck.lever@oracle.com> wrote:
>>
>> On 6/12/25 10:28 AM, Long Xin wrote:
>>> On Wed, Jun 11, 2025 at 9:49 AM Chuck Lever <chuck.lever@oracle.com> wrote:
>>>>
>>>> On 6/11/25 3:09 AM, Rik Theys wrote:
>>>>> These patches add CRL checking to the TLS client and server code.
>>>>>
>>>>> It introduces an x509.crl configuration option that specifies the
>>>>> location of a CRL in PEM format.
>>>>>
>>>>> The CRL (certificate revocation list) can be used by an administrator
>>>>> to block access to certificates that should no longer be trusted
>>>>> for some reason.
>>>>>
>>>>> See https://github.com/oracle/ktls-utils/issues/103
>>>>>
>>>>> Rik Theys (3):
>>>>>   Add server-side CRL checking
>>>>>   Add client-side CRL checking
>>>>>   Add x509.crl option to man page.
>>>>>
>>>>>  src/tlshd/client.c       | 28 +++++++++++++++++
>>>>>  src/tlshd/config.c       | 66 ++++++++++++++++++++++++++++++++++++++++
>>>>>  src/tlshd/server.c       | 14 +++++++++
>>>>>  src/tlshd/tlshd.conf.man |  9 +++++-
>>>>>  src/tlshd/tlshd.h        |  2 ++
>>>>>  5 files changed, 118 insertions(+), 1 deletion(-)
>>>>>
>>>>
>>>> Also note that this will need a similar code change to the QUIC paths,
>>>> eventually.
>>>>
>>> Yes, there's no difference for the certificate credentials
>>> configuration for QUIC.
>>>
>>> I think it will be nice to have a function like:
>>>
>>> static int tlshd_server_configure_credentials(gnutls_certificate_credentials_t
>>> xcred)
>>> {
>>>         char *crlfile;
>>>         char *cafile;
>>>         int ret;
>>>
>>>         if (tlshd_config_get_server_truststore(&cafile)) {
>>>                 ret = gnutls_certificate_set_x509_trust_file(xcred, cafile,
>>>
>>> GNUTLS_X509_FMT_PEM);
>>>                 free(cafile);
>>>         } else
>>>                 ret = gnutls_certificate_set_x509_system_trust(xcred);
>>>         if (ret < 0)
>>>                 return ret;
>>>         tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
>>>
>>>         if (tlshd_config_get_server_crl(&crlfile)) {
>>>                 ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
>>>                                                            GNUTLS_X509_FMT_PEM);
>>>                 free(crlfile);
>>>                 if (ret < 0 )
>>>                         return ret;
>>>                 tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
>>>         } else {
>>>                 tlshd_log_debug("System CRL: No CRL file configured.");
>>>         }
>>>
>>>         gnutls_certificate_set_retrieve_function2(xcred,
>>>                                                   tlshd_x509_retrieve_key_cb);
>>>         return GNUTLS_E_SUCCESS;
>>> }
>>>
>>> then use it in both tlshd_tls13/quic_server_x509_handshake().
>>> and do the same thing in client.c.
>>>
>>> Thanks.
>>
>> Rik, do you want to take a crack at the suggested code re-organization,
>> or do you want me to just take your series as-is and fix it up? Either
>> way is fine with me.
> 
> This week is a very busy week for me. I can look into it next week.
> 
> Feel free to take the series and fix it up as you've suggested.

I'll take it as-is and fix it up. Thanks for your contribution and
patience.


-- 
Chuck Lever