pocoproject
Client Certificates and CRL (Certificate Revocation list)
Hi POCO team!
POCO is a great library. I'm working on a HTTPS server prototype and using client authentication with client certificates. Everything works fine. My question now is whether the POCO library also supports a CRL(Certificate Revocation list).
In case the POCO library does not support CRL, I would be grateful for any tip on how and where to implement my own implementation.
Best regards Michael
The following solution works in my prototype.
Any comments?
SecureServerSocket svs(port);
Context::Ptr pPocoSSLContext = svs.context();
if (pPocoSSLContext && (!crlFile.empty()))
{
std::cout << "CRL check is on!" << std::endl;
SSL_CTX* sslCTX = pPocoSSLContext->sslContext();
loadCertificateRevocationList(sslCTX, crlFile.c_str());
}
....
void loadCertificateRevocationList(SSL_CTX* sslCTX, const char * crlFile)
{
X509_STORE *store = SSL_CTX_get_cert_store(sslCTX);
if (!store) {
std::cerr << std::endl << "Error: Unable to obtain TLS store." << std::endl;
return;
}
X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
int rc = X509_load_crl_file(lookup, crlFile, X509_FILETYPE_PEM);
if (rc != 1) {
std::cerr << std::endl << "Error: Unable to load certificate revocation file <" << crlFile << ">. Check crlfile." << std::endl;
return;
}
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
}
This issue is stale because it has been open for 365 days with no activity.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue is stale because it has been open for 365 days with no activity.