TLS certificates for NFS-over-TLS floating client

Rick Macklem rmacklem at
Sat Mar 21 01:54:00 UTC 2020

Miroslav Lachman wrote:
>Rick Macklem wrote on 2020/03/19 03:09:
>> Miroslav Lachman wrote:
>> [...]
>>> NFS (or any other server) should check list of revoked certificates too.
>>> Otherwise you will not be able to deny access to user which you no
>>> longer want to have an access.
>> Yes, good point.
>> I won't claim to understand this stuff, but from what I can see, all that is
>> done is the CRL is appended to the CAfile (the one with the CA certificates
>> are in being used for certificate verification via SSL__CTX_load_verify_locations().
>> >(
>> shows a CAfile and CRLfile being concatenated and then used to verify a certificate.)
>> There is code in sendmail that loads a CRL file separately, but it seems to
>> just put it in the X509 store returned by SSL_CTX_get_cert_store(), which
>> is the one where the CAfile certificates are stored via SSL_CTX_load_verify_locations(),
>> I think?
>> (It just seems easier to append it to CAfile than do this. The sendmail code uses
>>   poorly documented functions where the man page says
>>   "SSL_CTX_load_verify_locations()" normally takes care of this.)
>> Does this sound right? rick
>I think it would be better to have it in a separate file as Apache does
>Seems more convenient to have CA file write protected (read only) and
>then separate file for list of revoked client certificates, maybe
>somewhere else than CA certificate.
Done. (Actually, the SSL_CTX_load_verify_locations() failed when the CRL was
appended to the CAfile, so I needed to use a separate file to get it working.)

I found X509_load_crl_file(), which does all the glop in sendmail's tls.c file
to do it. (And it looks like the sendmail code only handles a CRL file
with a single entry in it.)

Thanks for the comments, rick

Kind regards
Miroslav Lachman

More information about the freebsd-current mailing list