caucase: Fix CRL support.
Emit Certificate Revocation Lists signed by all valid CAs. Apparently openssl (or at least how it is used in stunnel4) fails to validate a certificate when CRL validation is enabled and the key which signed the CRL differs from the key which signed the certificate. Also, add Authority Key Identifier CRL extension, required to be standard- compliant. Also, fix revocation entry expiration: the RFC requires them to be kept at least one renewal cycle after the certificate's expiration. As a consequence of this whole change: - the protocol for retrieving the curren CRL changes to return the concatenated list of CRLs, which breaks the CRL distribution (...but the distributed CRLs were invalid anyway) - stop storing the CRL PEM in caucased's database so that it gets re-generated with fresh code. As caucased is not expected to be restarted very often, the extra CRL generation on every start should not make a difference.
Showing
This diff is collapsed.
Please register or sign in to comment