aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/doc/src
diff options
context:
space:
mode:
authorMagnus Henoch <[email protected]>2015-12-08 18:23:42 +0000
committerMagnus Henoch <[email protected]>2016-04-05 15:21:01 +0100
commitb219dbd698c74cf3c904445d13bb3453be6e1ac8 (patch)
tree479d612caf5945c4b866ced0a9f14c29d5ed5d8b /lib/ssl/doc/src
parentee2178b073e936760b405b338e473236a5df94ca (diff)
downloadotp-b219dbd698c74cf3c904445d13bb3453be6e1ac8.tar.gz
otp-b219dbd698c74cf3c904445d13bb3453be6e1ac8.tar.bz2
otp-b219dbd698c74cf3c904445d13bb3453be6e1ac8.zip
Add ssl_crl_hash_dir module
This module is an implementation of the ssl_crl_cache_api behaviour. It can be used when there is a directory containing CRLs for all relevant CAs, in the form used by e.g. Apache. The module assumes that the directory is being updated through an external process.
Diffstat (limited to 'lib/ssl/doc/src')
-rw-r--r--lib/ssl/doc/src/ssl.xml60
1 files changed, 52 insertions, 8 deletions
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index a1fba5fbff..31f88f3285 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -360,15 +360,59 @@ marker="public_key:public_key#pkix_path_validation-3">public_key:pkix_path_valid
<p>Specify how to perform lookup and caching of certificate revocation lists.
<c>Module</c> defaults to <seealso marker="ssl:ssl_crl_cache">ssl_crl_cache</seealso>
with <c> DbHandle </c> being <c>internal</c> and an
- empty argument list. The following arguments may be specified for the internal cache:</p>
+ empty argument list.</p>
+
+ <p>There are two implementations available:</p>
+
<taglist>
- <tag><c>{http, timeout()}</c></tag>
- <item><p>
- Enables fetching of CRLs specified as http URIs in<seealso
- marker="public_key:public_key_records"> X509 certificate extensions.</seealso>
- Requires the OTP inets application.</p>
- </item>
- </taglist>
+ <tag><c>ssl_crl_cache</c></tag>
+ <item>
+ <p>This module maintains a cache of CRLs. CRLs can be
+ added to the cache using the function <seealso
+ marker="ssl:ssl_crl_cache#insert-1">ssl_crl_cache:insert/1</seealso>,
+ and optionally automatically fetched through HTTP if the
+ following argument is specified:</p>
+
+ <taglist>
+ <tag><c>{http, timeout()}</c></tag>
+ <item><p>
+ Enables fetching of CRLs specified as http URIs in<seealso
+ marker="public_key:public_key_records">X509 certificate extensions</seealso>.
+ Requires the OTP inets application.</p>
+ </item>
+ </taglist>
+ </item>
+
+ <tag><c>ssl_crl_hash_dir</c></tag>
+ <item>
+ <p>This module makes use of a directory where CRLs are
+ stored in files named by the hash of the issuer name.</p>
+
+ <p>The file names consist of eight hexadecimal digits
+ followed by <c>.rN</c>, where <c>N</c> is an integer,
+ e.g. <c>1a2b3c4d.r0</c>. For the first version of the
+ CRL, <c>N</c> starts at zero, and for each new version,
+ <c>N</c> is incremented by one. The OpenSSL utility
+ <c>c_rehash</c> creates symlinks according to this
+ pattern.</p>
+
+ <p>For a given hash value, this module finds all
+ consecutive <c>.r*</c> files starting from zero, and those
+ files taken together make up the revocation list. CRL
+ files whose <c>nextUpdate</c> fields are in the past, or
+ that are issued by a different CA that happens to have the
+ same name hash, are excluded.</p>
+
+ <p>The following argument is required:</p>
+
+ <taglist>
+ <tag><c>{dir, string()}</c></tag>
+ <item><p>Specifies the directory in which the CRLs can be found.</p></item>
+ </taglist>
+
+ </item>
+ </taglist>
+
</item>
<tag><c>{partial_chain, fun(Chain::[DerCert]) -> {trusted_ca, DerCert} |