From b219dbd698c74cf3c904445d13bb3453be6e1ac8 Mon Sep 17 00:00:00 2001 From: Magnus Henoch Date: Tue, 8 Dec 2015 18:23:42 +0000 Subject: Add ssl_crl_hash_dir module This module is an implementation of the ssl_crl_cache_api behaviour. It can be used when there is a directory containing CRLs for all relevant CAs, in the form used by e.g. Apache. The module assumes that the directory is being updated through an external process. --- lib/ssl/doc/src/ssl.xml | 60 ++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 52 insertions(+), 8 deletions(-) (limited to 'lib/ssl/doc/src') diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml index a1fba5fbff..31f88f3285 100644 --- a/lib/ssl/doc/src/ssl.xml +++ b/lib/ssl/doc/src/ssl.xml @@ -360,15 +360,59 @@ marker="public_key:public_key#pkix_path_validation-3">public_key:pkix_path_valid

Specify how to perform lookup and caching of certificate revocation lists. Module defaults to ssl_crl_cache with DbHandle being internal and an - empty argument list. The following arguments may be specified for the internal cache:

+ empty argument list.

+ +

There are two implementations available:

+ - {http, timeout()} -

- Enables fetching of CRLs specified as http URIs in X509 certificate extensions. - Requires the OTP inets application.

-
-
+ ssl_crl_cache + +

This module maintains a cache of CRLs. CRLs can be + added to the cache using the function ssl_crl_cache:insert/1, + and optionally automatically fetched through HTTP if the + following argument is specified:

+ + + {http, timeout()} +

+ Enables fetching of CRLs specified as http URIs inX509 certificate extensions. + Requires the OTP inets application.

+
+
+
+ + ssl_crl_hash_dir + +

This module makes use of a directory where CRLs are + stored in files named by the hash of the issuer name.

+ +

The file names consist of eight hexadecimal digits + followed by .rN, where N is an integer, + e.g. 1a2b3c4d.r0. For the first version of the + CRL, N starts at zero, and for each new version, + N is incremented by one. The OpenSSL utility + c_rehash creates symlinks according to this + pattern.

+ +

For a given hash value, this module finds all + consecutive .r* files starting from zero, and those + files taken together make up the revocation list. CRL + files whose nextUpdate fields are in the past, or + that are issued by a different CA that happens to have the + same name hash, are excluded.

+ +

The following argument is required:

+ + + {dir, string()} +

Specifies the directory in which the CRLs can be found.

+
+ +
+ + {partial_chain, fun(Chain::[DerCert]) -> {trusted_ca, DerCert} | -- cgit v1.2.3