mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-02-10 00:37:00 +08:00
Updates in CRL handling.
Ensure reload on SIGHUP, and do print an appropriate error when an empty CRL file is encountered.
This commit is contained in:
Nikos Mavrogiannopoulos
@@ -715,6 +715,7 @@ unsigned total = 10;
|
||||
if (reload_conf != 0) {
|
||||
mslog(s, NULL, LOG_INFO, "reloading configuration");
|
||||
reload_cfg_file(s->config);
|
||||
tls_reload_crl(s);
|
||||
reload_conf = 0;
|
||||
}
|
||||
|
||||
|
||||
@@ -172,6 +172,7 @@ server-key = /path/to/key.pem
|
||||
#cert-group-oid = 2.5.4.11
|
||||
|
||||
# The revocation list of the certificates issued by the 'ca-cert' above.
|
||||
# See the manual to generate an empty CRL initially.
|
||||
#crl = /path/to/crl.pem
|
||||
|
||||
# GnuTLS priority string
|
||||
@@ -550,6 +551,13 @@ $ certtool --generate-crl --load-ca-privkey ca-key.pem \
|
||||
After that you may want to notify ocserv of the new CRL by using
|
||||
the HUP signal.
|
||||
|
||||
When there are no revoked certificates an empty revocation list
|
||||
should be generated as follows.
|
||||
@example
|
||||
$ certtool --generate-crl --load-ca-privkey ca-key.pem \
|
||||
--load-ca-certificate ca.pem \
|
||||
--outfile crl.pem
|
||||
@end example
|
||||
_EOT_;
|
||||
};
|
||||
|
||||
|
||||
35
src/tlslib.c
35
src/tlslib.c
@@ -599,17 +599,7 @@ unsigned len;
|
||||
mslog(s, NULL, LOG_INFO, "processed %d CA certificate(s)", ret);
|
||||
}
|
||||
|
||||
if (s->config->crl != NULL) {
|
||||
ret =
|
||||
gnutls_certificate_set_x509_crl_file(s->creds.xcred,
|
||||
s->config->crl,
|
||||
GNUTLS_X509_FMT_PEM);
|
||||
if (ret < 0) {
|
||||
mslog(s, NULL, LOG_ERR, "error setting the CRL (%s) file",
|
||||
s->config->crl);
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
tls_reload_crl(s);
|
||||
|
||||
gnutls_certificate_set_verify_function(s->creds.xcred,
|
||||
verify_certificate_cb);
|
||||
@@ -645,6 +635,29 @@ unsigned len;
|
||||
return;
|
||||
}
|
||||
|
||||
void tls_reload_crl(main_server_st* s)
|
||||
{
|
||||
int ret;
|
||||
|
||||
if (s->config->cert_req != GNUTLS_CERT_IGNORE && s->config->crl != NULL) {
|
||||
ret =
|
||||
gnutls_certificate_set_x509_crl_file(s->creds.xcred,
|
||||
s->config->crl,
|
||||
GNUTLS_X509_FMT_PEM);
|
||||
if (ret < 0) {
|
||||
/* ignore the CRL file when empty */
|
||||
if (ret == GNUTLS_E_BASE64_DECODING_ERROR) {
|
||||
mslog(s, NULL, LOG_ERR, "empty or unreadable CRL file (%s); check documentation to generate an empty CRL",
|
||||
s->config->crl);
|
||||
} else {
|
||||
mslog(s, NULL, LOG_ERR, "error reading the CRL (%s) file: %s",
|
||||
s->config->crl, gnutls_strerror(ret));
|
||||
}
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void tls_cork(gnutls_session_t session)
|
||||
{
|
||||
gnutls_record_cork(session);
|
||||
|
||||
@@ -41,6 +41,7 @@ ssize_t tls_send_nowait(gnutls_session_t session, const void *data,
|
||||
void tls_cork(gnutls_session_t session);
|
||||
int tls_uncork(gnutls_session_t session);
|
||||
|
||||
void tls_reload_crl(struct main_server_st* s);
|
||||
void tls_global_init(struct main_server_st* s);
|
||||
void tls_global_deinit(struct main_server_st* s);
|
||||
void tls_global_init_certs(struct main_server_st* s);
|
||||
|
||||
Reference in New Issue
Block a user