mosquitto

Certificate expiration and revocation control

Asked by Rémi SALEMBIER

Hi,

I was looking at the expiration and revocation control of Mosquitto and, from what I have seen, there is not much that has been done around.

If I want to implement my own logic, it seems I can't do that from the auth plugin. It has to be implemented in the net.c file (around line 208):

#ifdef WITH_TLS
static int client_certificate_verify(int preverify_ok, X509_STORE_CTX *ctx)
{
    /* Preverify should check expiry, revocation. */
    return preverify_ok;
}
#endif

Please, tell me if you are planning to do something around that and if maybe if you would be interested that I push some code with that such of functionality ?

Thanks.
Remi

Question information

Language:
English Edit question
Status:
Answered
For:
mosquitto Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Roger Light (roger.light) said : 		#1

The comment there could be clearer. It should be something like "Preverify should have already checked expiry and revocation, so we can just return it."

There are some tests in test/broker/ that test that revoked and expired certificates are correctly handled.

Can you help with this problem?

Provide an answer of your own, or ask Rémi SALEMBIER for more information if necessary.

To post a message you must log in.