OpenSSL现在是否自动处理CRL(证书吊销列表)? [英] Does OpenSSL automatically handle CRLs (Certificate Revocation Lists) now?

问题描述

我正在使用的参考书(Viega，Messier和Chandra撰写的 Network Security with OpenSSL )指出:

The reference book that I'm working from (Network Security with OpenSSL, by Viega, Messier, and Chandra), on page 133, states:

[...]应用程序必须加载CRL文件，以进行内部验证过程，以确保其验证的每个证书都不会被撤销.不幸的是，OpenSSL的CRL功能在0.9.6版本中是不完整的.从0.9.7开始，在新版本中将充分利用CRL信息所必需的功能. [...]

[...] an application must load CRL files in order for the internal verification process to ensure each certificate it verifies is not revoked. Unfortunately, OpenSSL's CRL functionality is incomplete in version 0.9.6. The features necessary to utilize CRL information will be complete in new versions starting with 0.9.7. [...]

我在OpenSSL文档中找不到关于它的任何可用信息(这不足为奇).在我看来，检查CRL应该是OpenSSL验证过程的自动部分.现在是自动处理CRL吗?还是我还必须仔细阅读本书中列出的所有垃圾内容，以努力地验证证书是否未被吊销?

I can't find any usable information about it in the OpenSSL documentation (no surprise there). It seems to me that checking the CRLs should be an automatic part of OpenSSL's verification process. Are CRLs handled automatically now, or must I still go through all the garbage listed in the book to laboriously verify that a certificate hasn't been revoked?

一个密切相关的问题:SSL_CTX_set_default_verify_paths函数是否也加载CRL路径?

A closely-related question: does the SSL_CTX_set_default_verify_paths function load CRL paths too?

推荐答案

SSL_CTX_set_default_verify_paths()仅加载CA路径，而不是CRL.

SSL_CTX_set_default_verify_paths() just loads CA paths, not CRLs.

我相信(尽管我自己尚未实际实施)正确的过程是:

I believe (though I have not yet actually implemented it myself) that the correct process is:

/* Load CRLs into the `X509_STORE` */

X509_STORE *x509_store = SSL_CTX_get_cert_store(ctx);
X509_STORE_add_crl(x509_store, crl);

/* Enable CRL checking */
X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
SSL_CTX_set1_param(ctx, param);
X509_VERIFY_PARAM_free(param);

这篇关于OpenSSL现在是否自动处理CRL(证书吊销列表)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！