Closed tkuester closed 1 year ago
tkuester
commented
3 years ago This article was instrumental in getting a proof of concept up and working.
The key part here is:
ssl_ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
ssl_ctx.load_verify_locations(cafile='crl.pem')This will take some finagling to get working with taky, but it should work.
doug-fitzmaurice-rowden
commented
3 years ago OCSP could be an alternative, as it bypasses the need for a CRL file on the system and could handle revocation within the taky process.
There's a python library for building OCSP responses: https://github.com/wbond/ocspbuilder
The protocol is complicated though, so perhaps just a check for cert.subject in banned_users would be sufficient.
tkuester
commented
1 year ago Because CRL's require a timestamp, we're going with a far simpler approach and just matching on the certificate serial number.
Traditionally, revoking user access to the server is as "simple" as deleting the CA and re-issuing all certificates. (Which, is really not simple at all.) While this can be done with taky's self built CA, it is much more difficult to do this with your organization's CA (as will become an issue with #24).
Word has it that support for CRL's in python is mediocre at best. If it doesn't work, perhaps we can have some other method of access denial based on the certificate CN...