• Vincent Pelletier's avatar
    caucase: Fix CRL support. · 3aefb18a
    Vincent Pelletier authored
    Emit Certificate Revocation Lists signed by all valid CAs.
    Apparently openssl (or at least how it is used in stunnel4) fails to
    validate a certificate when CRL validation is enabled and the key which
    signed the CRL differs from the key which signed the certificate.
    Also, add Authority Key Identifier CRL extension, required to be standard-
    Also, fix revocation entry expiration: the RFC requires them to be kept
    at least one renewal cycle after the certificate's expiration.
    As a consequence of this whole change:
    - the protocol for retrieving the curren CRL changes to return the
      concatenated list of CRLs, which breaks the CRL distribution (...but
      the distributed CRLs were invalid anyway)
    - stop storing the CRL PEM in caucased's database so that it gets
      re-generated with fresh code. As caucased is not expected to be
      restarted very often, the extra CRL generation on every start should
      not make a difference.
storage.py 18.7 KB