[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bacula-devel] Certificate Revocation Lists

On Jul 26, 2008, at 2:55 AM, Hanno Stock wrote:

Hello Bacula Developers / Users,

is there a way to use Certfificate Revocation Lists in Bacula with TLS
support? Or is there any such feature planned?

I think this is important in a bigger deployment.

The feature is not currently supported, but if you are interested in adding it, take a look at new_tls_context() in src/lib/tls.c.

I believe it should be sufficient to fetch the backing X.509 store using SSL_CTX_get_cert_store(), and load the CRL list(s) with X509_load_crl_file(), and enable CRL checking with X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL.

This is only supported in OpenSSL 0.9.7 or later.


Attachment: PGP.sig
Description: This is a digitally signed message part

This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
Bacula-devel mailing list

This mailing list archive is a service of Copilotco.