Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. exim>
  3. dev
TLS OpenSSL CRL Handling
lmnk at lmnk
Mar 8, 2005, 7:33 AM
Post #1 of 5 (2503 views)
Permalink
Hi all,

first of all, forgive me, if this is the wrong list for this posting,
but in my mind this posting makes more sense here than in the exim-users
list. I am working on the exim sources a couple of days, to figure out
how and why exim is not able to handle multiple CRLs within one file or
a directory with the hashed crl files.

For openssl versions greater than 0.9.7 the crl handling will be done by
a single add command for a crl file (X509_STORE_add_crl(ctx,crl).
Instead of using that method it would make more sense (in my mind) to
use the X509_STORE_load_locations(ctx,file,dir) method, cause then
everyone would be able to serve a file or a hash dir to the ssl context.

The X509_STORE_load_locations() method supplies the context with the
needed lookups by itself, so it is possible then, to use multiple crls
within one file or a directory for hashed crl entries.

I think, this would make the crl handling (especially of multiple crls)
much easier and this is not a big change on the sources.

Greetings,
Lars
Re: TLS OpenSSL CRL Handling [ In reply to ]
ph10 at cus
Mar 9, 2005, 2:18 AM
Post #2 of 5 (2462 views)
Permalink
On Tue, 8 Mar 2005, Lars Mainka wrote:

> For openssl versions greater than 0.9.7 the crl handling will be done by a
> single add command for a crl file (X509_STORE_add_crl(ctx,crl). Instead of
> using that method it would make more sense (in my mind) to use the
> X509_STORE_load_locations(ctx,file,dir) method, cause then everyone would be
> able to serve a file or a hash dir to the ssl context.

I don't think any of the main Exim maintainers are at all expert in
OpenSSL. I certainly am not. The CRL support was originally supplied as
a patch, which I integrated and was happy with once I found that a simple
test worked.

> The X509_STORE_load_locations() method supplies the context with the needed
> lookups by itself, so it is possible then, to use multiple crls within one
> file or a directory for hashed crl entries.
>
> I think, this would make the crl handling (especially of multiple crls) much
> easier and this is not a big change on the sources.

Would such a change be upwards compatible? Can you supply a suggested
patch? That has much more of a chance of being included and tested.
Otherwise somebody has to spend time learning about OpenSSL and figuring
out what to do. My own time for working on the code is extremely limited
at present.

--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book: http://www.uit.co.uk/exim-book
Re: TLS OpenSSL CRL Handling [ In reply to ]
lmnk at lmnk
Mar 9, 2005, 3:16 AM
Post #3 of 5 (2431 views)
Permalink
Philip Hazel wrote:

> I don't think any of the main Exim maintainers are at all expert in
> OpenSSL. I certainly am not. The CRL support was originally supplied as
> a patch, which I integrated and was happy with once I found that a simple
> test worked.

In my mind, security based on SSL/TLS has such a lot of complexity, that
there are only a few people which can be called expert. :-( This makes
the whole thing to get secure so difficult, that there will be a lack of
security in common.

>>I think, this would make the crl handling (especially of multiple crls) much
>>easier and this is not a big change on the sources.
>
>
> Would such a change be upwards compatible? Can you supply a suggested
> patch? That has much more of a chance of being included and tested.
> Otherwise somebody has to spend time learning about OpenSSL and figuring
> out what to do. My own time for working on the code is extremely limited
> at present.

I tried it with the versions 4.43, 4.44 and 4.50 on FreeBSD and Debian
and it works fine. I haven't found any problems changing the the sources
and there are no handling differences concering the tls_crl value in the
configuration. I would be very happy to supply Exim with a small patch.
Where should I send the patch? (I will try to do the same for GnuTLS if
anyone would like to have it.)

As I posted on the users list, there are some other possible tasks in
the tls implementation, like purpose checking, client certificate
checking, ocsp and so on. Is anybody interested in enhancing Exim in
that point?

Greetings,
Lars
Re: TLS OpenSSL CRL Handling [ In reply to ]
lmnk at lmnk
Mar 9, 2005, 5:04 AM
Post #4 of 5 (2437 views)
Permalink
Hi,

attached is the diff for adding the support of crl collections in a file
or for hashed files in a directory.

This works with versions 4.43 up to 4.50 (I've tried it with them). Feel
free to apply the changes and check it out.

Greetings,
Lars

Attached Files:

Re: TLS OpenSSL CRL Handling [ In reply to ]
ph10 at cus
Mar 9, 2005, 5:17 AM
Post #5 of 5 (2447 views)
Permalink
On Wed, 9 Mar 2005, Lars Mainka wrote:

> attached is the diff for adding the support of crl collections in a file or
> for hashed files in a directory.
>
> This works with versions 4.43 up to 4.50 (I've tried it with them). Feel free
> to apply the changes and check it out.

Thank you. I have added this to my work list. However, it may be some
time before I get to it, owing to rather a lot of other things going on
at the moment. But it will not be forgotten.

--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book: http://www.uit.co.uk/exim-book

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal