pure-ftpd icon indicating copy to clipboard operation
pure-ftpd copied to clipboard
verified publisher icon jedisct1

Add CRL (revocation list) checking option to client cert check

Open rainisto opened this issue 6 years ago • 9 comments

CRL checking is essential part of safe PKI.

Revocation list can be appended to end of pure-ftpd.pem file.

Use case: trusted CA generates server and client certs, and at some point CA revocates the client cert (server should start rejecting the client, which it currently doesn't do). This patch fixes a bug that revoked client cert could still login.

By adding -R:-C: options to chipherlist, it starts checking the CRL list which has been appended to end of pure-ftpd.pem

rainisto avatar Apr 30 '19 11:04 rainisto

Can you update the documentation (README.TLS) as well as the example configuration file, and explain that this should be only used with internal CAs?

jedisct1 avatar Apr 30 '19 11:04 jedisct1

X509_VERIFY_PARAM_new() returns NULL on allocation failure.

X509_VERIFY_PARAM_set_flags() and SSL_CTX_set1_param() return 1 for success or 0 for failure.

All these functions can fail. Can we check for these conditions?

jedisct1 avatar Apr 30 '19 12:04 jedisct1

NULL checking would be useful if memory allocated by OPENSSL_malloc would fail, so I'll add NULL checking to pull request tomorrow. Set flags always returns 1, so no need to check it.

rainisto avatar May 01 '19 09:05 rainisto

Set flags always returns 1, so no need to check it.

It's OpenSSL. You can't expect internals not to change without prior notice, even in a minor revision.

jedisct1 avatar May 01 '19 10:05 jedisct1

There is a typo in the README.TLS patch (genereted instead of generated).

racke avatar Jan 20 '20 06:01 racke