Skip to content

Fix CRL for client certificates#240

Open
ne-bknn wants to merge 1 commit into
stripe:masterfrom
ne-bknn:master
Open

Fix CRL for client certificates#240
ne-bknn wants to merge 1 commit into
stripe:masterfrom
ne-bknn:master

Conversation

@ne-bknn

@ne-bknn ne-bknn commented Dec 13, 2024

Copy link
Copy Markdown
Contributor

Hi!

CRL feature does not seem to work. There are two main issues with it:

  1. CRLs are loaded into Config structure, but are not used anywhere. I've implemented VerifyPeerCertificate function in config.TlsConfig
  2. Even with implemented VerifyPeerCertificate, CRLs do not work since CRL loading occurs earlier, than CA loading. Smokescreen cannot find CA for CRL and fails. That's why I rearranged them.

I wrote an integration test with its own CA generation procedure - I did not want to figure how to use your test PKI in testdata, so I generate PKI on the fly and clean it up afterwards.

This may look terrible, as it is just a draft. I'll clean it up, fix deprecation issues and resolve any of your comments if you are willing to merge it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant