we had a few customers asked for client certificate revocation support.
there are a few options for us to support it:
-
Make use of the Erlang's builtin crl check and cache functionality
https://www.erlang.org/doc/man/ssl.html#type-crl_check
https://www.erlang.org/doc/man/ssl.html#type-crl_cache_opts
-
Like 1, but implement the cache callbacks by ourselves.
-
Provide custom verify callback in SSL options, and implement ourown check and cache
https://www.erlang.org/doc/man/ssl.html#type-custom_verify
return {revoked, _} , in case the cert is revoked.
No matter how it is implemented, we should have a configuration and an HTTP API to interface the users.
- Bootstrap the cache from a file (path of which is configurable)
- Persist the list in database
- Add CLI/HTTP APIs to add to / delete from the revocation list (and cache)
we had a few customers asked for client certificate revocation support.
there are a few options for us to support it:
Make use of the Erlang's builtin crl check and cache functionality
https://www.erlang.org/doc/man/ssl.html#type-crl_check
https://www.erlang.org/doc/man/ssl.html#type-crl_cache_opts
Like 1, but implement the cache callbacks by ourselves.
Provide custom verify callback in SSL options, and implement ourown check and cache
https://www.erlang.org/doc/man/ssl.html#type-custom_verify
return
{revoked, _}, in case the cert is revoked.No matter how it is implemented, we should have a configuration and an HTTP API to interface the users.