CRL automatic download

This is a multipart message in MIME format.
--=_alternative 0050696FC1256E84_=
Content-Type: text/plain; charset="us-ascii"

Hello,

I plan to add CRL automatic download to modssl. I mean, when a certificate
contains a CRL distribution point, use it to download the CRL just-in-time
if it's not present in the local store, or if it's outdated, ...
I have the code to do the automatic download, but the integration in
modssl doesn't look evident to me, as it's my first dive into your code.

Here is what I currently plan:
- In function "ssl_callback_SSLVerify( )", replace the call to
"ssl_callback_SSLVerify_CRL( )" by a call to a new function
"ssl_callback_SSLVerify_Validity( )", with exactly the same parameters
- In "ssl_callback_SSLVerify_Validity( )":
- possibly perform an OCSP check (see my e-mail from today)
- call "ssl_callback_SSLVerify_CRL( )"
- if the check failed because the certificate is revoked => return error
- download the CRL
(this could be quite long, I could get a time-out. Any idea about that
?)
- if the download failed => return error
- write the CRL to the registered directory
- create a link to the CRL with name {hash}.r0
(can't I directly copy the file under that name ?)
- add the CRL to the CRL store
(or re-create totally the store ? This wouldn't be efficient)
- call "ssl_callback_SSLVerify_CRL( )" again

Do you see any problem with that ?
Is somebody interesting in participating in this, or simply discussing
more in-depth details ?

Marc

--=_alternative 0050696FC1256E84_=
Content-Type: text/html; charset="us-ascii"

 Hello,
 
 I plan to add CRL automatic download to modssl. I mean, when a certificate contains a CRL distribution point, use it to download the CRL just-in-time if it's not present in the local store, or if it's outdated, ...
 I have the code to do the automatic download, but the integration in modssl doesn't look evident to me, as it's my first dive into your code.
 
 Here is what I currently plan:
 - In function "ssl_callback_SSLVerify( )", replace the call to "ssl_callback_SSLVerify_CRL( )" by a call to a new function "ssl_callback_SSLVerify_Validity( )", with exactly the same parameters
 - In "ssl_callback_SSLVerify_Validity( )":
 - possibly perform an OCSP check (see my e-mail from today)
 - call "ssl_callback_SSLVerify_CRL( )"
 - if the check failed because the certificate is revoked => return error
 - download the CRL
 (this could be quite long, I could get a time-out. Any idea about that ?)
 - if the download failed => return error
 - write the CRL to the registered directory
 - create a link to the CRL with name {hash}.r0
 (can't I directly copy the file under that name ?) 
- add the CRL to the CRL store
 (or re-create totally the store ? This wouldn't be efficient) 
- call "ssl_callback_SSLVerify_CRL( )" again
 
 Do you see any problem with that ?
 Is somebody interesting in participating in this, or simply discussing more in-depth details ?
 
 Marc 

--=_alternative 0050696FC1256E84_=--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org