taky icon indicating copy to clipboard operation
taky copied to clipboard
Published 1 year ago verified publisher icon tkuester

Add support for certificate revocation lists

Open tkuester opened this issue 4 years ago • 2 comments

Traditionally, revoking user access to the server is as "simple" as deleting the CA and re-issuing all certificates. (Which, is really not simple at all.) While this can be done with taky's self built CA, it is much more difficult to do this with your organization's CA (as will become an issue with #24).

Word has it that support for CRL's in python is mediocre at best. If it doesn't work, perhaps we can have some other method of access denial based on the certificate CN...

tkuester avatar May 22 '21 16:05 tkuester

This article was instrumental in getting a proof of concept up and working.

https://stackoverflow.com/questions/39297240/python-failed-to-verify-any-crls-for-ssl-tls-connections

The key part here is:

ssl_ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
ssl_ctx.load_verify_locations(cafile='crl.pem')

This will take some finagling to get working with taky, but it should work.

tkuester avatar May 23 '21 21:05 tkuester

OCSP could be an alternative, as it bypasses the need for a CRL file on the system and could handle revocation within the taky process.

There's a python library for building OCSP responses: https://github.com/wbond/ocspbuilder

The protocol is complicated though, so perhaps just a check for cert.subject in banned_users would be sufficient.

doug-fitzmaurice-rowden avatar May 24 '21 09:05 doug-fitzmaurice-rowden

Because CRL's require a timestamp, we're going with a far simpler approach and just matching on the certificate serial number.

tkuester avatar Feb 04 '23 21:02 tkuester