From b219dbd698c74cf3c904445d13bb3453be6e1ac8 Mon Sep 17 00:00:00 2001
From: Magnus Henoch <magnus@erlang-solutions.com>
Date: Tue, 8 Dec 2015 18:23:42 +0000
Subject: Add ssl_crl_hash_dir module

This module is an implementation of the ssl_crl_cache_api behaviour.
It can be used when there is a directory containing CRLs for all
relevant CAs, in the form used by e.g. Apache.  The module assumes
that the directory is being updated through an external process.
---
 lib/ssl/doc/src/ssl.xml | 60 ++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 52 insertions(+), 8 deletions(-)

(limited to 'lib/ssl/doc/src/ssl.xml')

diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index a1fba5fbff..31f88f3285 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -360,15 +360,59 @@ marker="public_key:public_key#pkix_path_validation-3">public_key:pkix_path_valid
 	<p>Specify how to perform lookup and caching of certificate revocation lists.
 	<c>Module</c> defaults to <seealso marker="ssl:ssl_crl_cache">ssl_crl_cache</seealso>
 	with <c> DbHandle </c> being <c>internal</c> and an
-	empty argument list. The following arguments may be specified for the internal cache:</p>
+	empty argument list.</p>
+
+	<p>There are two implementations available:</p>
+
 	<taglist>
-	  <tag><c>{http, timeout()}</c></tag>
-	  <item><p>
-	    Enables fetching of CRLs specified as http URIs in<seealso 
-	    marker="public_key:public_key_records"> X509 certificate extensions.</seealso>
-	    Requires the OTP inets application.</p>
-	  </item>	    
-	</taglist>    
+	  <tag><c>ssl_crl_cache</c></tag>
+	  <item>
+	    <p>This module maintains a cache of CRLs.  CRLs can be
+	    added to the cache using the function <seealso
+	    marker="ssl:ssl_crl_cache#insert-1">ssl_crl_cache:insert/1</seealso>,
+	    and optionally automatically fetched through HTTP if the
+	    following argument is specified:</p>
+
+	    <taglist>
+	      <tag><c>{http, timeout()}</c></tag>
+	      <item><p>
+		Enables fetching of CRLs specified as http URIs in<seealso
+		marker="public_key:public_key_records">X509 certificate extensions</seealso>.
+		Requires the OTP inets application.</p>
+	      </item>
+	    </taglist>
+	  </item>
+
+	  <tag><c>ssl_crl_hash_dir</c></tag>
+	  <item>
+	    <p>This module makes use of a directory where CRLs are
+	    stored in files named by the hash of the issuer name.</p>
+
+	    <p>The file names consist of eight hexadecimal digits
+	    followed by <c>.rN</c>, where <c>N</c> is an integer,
+	    e.g. <c>1a2b3c4d.r0</c>.  For the first version of the
+	    CRL, <c>N</c> starts at zero, and for each new version,
+	    <c>N</c> is incremented by one.  The OpenSSL utility
+	    <c>c_rehash</c> creates symlinks according to this
+	    pattern.</p>
+
+	    <p>For a given hash value, this module finds all
+	    consecutive <c>.r*</c> files starting from zero, and those
+	    files taken together make up the revocation list.  CRL
+	    files whose <c>nextUpdate</c> fields are in the past, or
+	    that are issued by a different CA that happens to have the
+	    same name hash, are excluded.</p>
+
+	    <p>The following argument is required:</p>
+
+	    <taglist>
+	      <tag><c>{dir, string()}</c></tag>
+	      <item><p>Specifies the directory in which the CRLs can be found.</p></item>
+	    </taglist>
+
+	  </item>
+	</taglist>
+
       </item>
 
       <tag><c>{partial_chain, fun(Chain::[DerCert]) -> {trusted_ca, DerCert} |
-- 
cgit v1.2.3