eip icon indicating copy to clipboard operation
eip copied to clipboard
verified publisher icon emqx

certificate revocation

Open zmstone opened this issue 4 years ago • 0 comments

we had a few customers asked for client certificate revocation support.

there are a few options for us to support it:

  1. Make use of the Erlang's builtin crl check and cache functionality https://www.erlang.org/doc/man/ssl.html#type-crl_check https://www.erlang.org/doc/man/ssl.html#type-crl_cache_opts

  2. Like 1, but implement the cache callbacks by ourselves.

  3. Provide custom verify callback in SSL options, and implement ourown check and cache https://www.erlang.org/doc/man/ssl.html#type-custom_verify return {revoked, _} , in case the cert is revoked.

No matter how it is implemented, we should have a configuration and an HTTP API to interface the users.

  • Bootstrap the cache from a file (path of which is configurable)
  • Persist the list in database
  • Add CLI/HTTP APIs to add to / delete from the revocation list (and cache)

zmstone avatar Dec 10 '21 08:12 zmstone