s2n-tls icon indicating copy to clipboard operation
s2n-tls copied to clipboard

Published 20 hours ago verified publisher icon aws

CRL Validation

Open goatgoose opened this issue 2 years ago • 0 comments

Security issue notifications

If you discover a potential security issue in s2n we ask that you notify AWS Security via our vulnerability reporting page. Please do not create a public github issue.

Problem:

Currently, s2n-tls does not support certificate revocation validation via CRLs.

Solution:

Implement a callback that will allow users to provide CRLs for received certificates, which will be used to check the certificates for revocation.

  • Does this change what S2N sends over the wire? No.
  • Does this change any public APIs? Yes, new public APIs will be added to set and interact with the CRL callback.
  • Which versions of TLS will this impact? All versions.

Project Plan:

CRL Callback

  • [x] https://github.com/aws/s2n-tls/pull/3458
  • [x] https://github.com/aws/s2n-tls/pull/3444
  • [ ] https://github.com/aws/s2n-tls/pull/3500
  • [ ] https://github.com/aws/s2n-tls/pull/3501
  • [ ] Add option to check leaf certificates vs intermediate certificates
  • [ ] Add helper functions to check CRL thisUpdate and nextUpdate fields
  • [ ] Add and document new public APIs

CRL Cache

TODO

goatgoose avatar Sep 19 '22 15:09 goatgoose