From 1a5ef986efb0461b3b87dc836036d661def4c4b5 Mon Sep 17 00:00:00 2001 From: Magnus Henoch Date: Thu, 4 Feb 2016 18:28:16 +0000 Subject: Improve formatting for crl_{check,cache} options --- lib/ssl/doc/src/ssl.xml | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) (limited to 'lib/ssl/doc/src/ssl.xml') diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml index 82bede69d0..a1fba5fbff 100644 --- a/lib/ssl/doc/src/ssl.xml +++ b/lib/ssl/doc/src/ssl.xml @@ -331,31 +331,36 @@ marker="public_key:public_key#pkix_path_validation-3">public_key:pkix_path_valid {crl_check, boolean() | peer | best_effort } - Perform CRL (Certificate Revocation List) verification +

Perform CRL (Certificate Revocation List) verification (public_key:pkix_crls_validate/3) on all the certificates during the path validation (public_key:pkix_path_validation/3) - of the certificate chain. Defaults to false. + of the certificate chain. Defaults to false.

-

peer - check is only performed on - the peer certificate.

+ + peer + check is only performed on the peer certificate. -

best_effort - if certificate revocation status can not be determined - it will be accepted as valid.

+ best_effort + if certificate revocation status can not be determined + it will be accepted as valid. +

The CA certificates specified for the connection will be used to construct the certificate chain validating the CRLs.

-

The CRLs will be fetched from a local or external cache see +

The CRLs will be fetched from a local or external cache. See ssl_crl_cache_api(3).

 {crl_cache, {Module :: atom(), {DbHandle :: internal | term(), Args :: list()}}} -

Module defaults to ssl_crl_cache with DbHandle internal and an - empty argument list. The following arguments may be specified for the internal cache.

+

Specify how to perform lookup and caching of certificate revocation lists. + Module defaults to ssl_crl_cache + with DbHandle being internal and an + empty argument list. The following arguments may be specified for the internal cache:

{http, timeout()}

-- cgit v1.2.3 From b219dbd698c74cf3c904445d13bb3453be6e1ac8 Mon Sep 17 00:00:00 2001 From: Magnus Henoch Date: Tue, 8 Dec 2015 18:23:42 +0000 Subject: Add ssl_crl_hash_dir module This module is an implementation of the ssl_crl_cache_api behaviour. It can be used when there is a directory containing CRLs for all relevant CAs, in the form used by e.g. Apache. The module assumes that the directory is being updated through an external process. --- lib/ssl/doc/src/ssl.xml | 60 ++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 52 insertions(+), 8 deletions(-) (limited to 'lib/ssl/doc/src/ssl.xml') diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml index a1fba5fbff..31f88f3285 100644 --- a/lib/ssl/doc/src/ssl.xml +++ b/lib/ssl/doc/src/ssl.xml @@ -360,15 +360,59 @@ marker="public_key:public_key#pkix_path_validation-3">public_key:pkix_path_valid

Specify how to perform lookup and caching of certificate revocation lists. Module defaults to ssl_crl_cache with DbHandle being internal and an - empty argument list. The following arguments may be specified for the internal cache:

+ empty argument list.

+ +

There are two implementations available:

+ - {http, timeout()} -

- Enables fetching of CRLs specified as http URIs in X509 certificate extensions. - Requires the OTP inets application.

- - + ssl_crl_cache + +

This module maintains a cache of CRLs. CRLs can be + added to the cache using the function ssl_crl_cache:insert/1, + and optionally automatically fetched through HTTP if the + following argument is specified:

+ + + {http, timeout()} +

+ Enables fetching of CRLs specified as http URIs inX509 certificate extensions. + Requires the OTP inets application.

+ + + + + ssl_crl_hash_dir + +

This module makes use of a directory where CRLs are + stored in files named by the hash of the issuer name.

+ +

The file names consist of eight hexadecimal digits + followed by .rN, where N is an integer, + e.g. 1a2b3c4d.r0. For the first version of the + CRL, N starts at zero, and for each new version, + N is incremented by one. The OpenSSL utility + c_rehash creates symlinks according to this + pattern.

+ +

For a given hash value, this module finds all + consecutive .r* files starting from zero, and those + files taken together make up the revocation list. CRL + files whose nextUpdate fields are in the past, or + that are issued by a different CA that happens to have the + same name hash, are excluded.

+ +

The following argument is required:

+ + + {dir, string()} +

Specifies the directory in which the CRLs can be found.

 + + + + + {partial_chain, fun(Chain::[DerCert]) -> {trusted_ca, DerCert} | -- cgit v1.2.3