Client Certificates and CRL (Certificate Revocation list)

[michaelcplusplus]

Hi POCO team!

POCO is a great library.
I'm working on a HTTPS server prototype and using client authentication with client certificates.
Everything works fine.
My question now is whether the POCO library also supports a CRL(Certificate Revocation list).

In case the POCO library does not support CRL, I would be grateful for any tip on how and where to implement my own implementation.

Best regards
Michael

[michaelcplusplus]

The following solution works in my prototype.

Any comments?

	SecureServerSocket svs(port);

	Context::Ptr pPocoSSLContext = svs.context();

	if (pPocoSSLContext && (!crlFile.empty()))
	{
		std::cout << "CRL check is on!" << std::endl;
		SSL_CTX* sslCTX = pPocoSSLContext->sslContext();
		loadCertificateRevocationList(sslCTX, crlFile.c_str());
	}

        ....
	void loadCertificateRevocationList(SSL_CTX* sslCTX, const char * crlFile)
	{
		X509_STORE *store = SSL_CTX_get_cert_store(sslCTX);
		if (!store) {
			std::cerr << std::endl << "Error: Unable to obtain TLS store." << std::endl;
			return;
		}
		X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
		int rc = X509_load_crl_file(lookup, crlFile, X509_FILETYPE_PEM);
		if (rc != 1) {
			std::cerr << std::endl << "Error: Unable to load certificate revocation file <" << crlFile << ">. Check crlfile." << std::endl;
			return;
		}
		X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
	}

[github-actions[bot]]

This issue is stale because it has been open for 365 days with no activity.

[aleks-f]

I guess OCSP does pretty much the same thing.

[github-actions[bot]]

This issue is stale because it has been open for 365 days with no activity.