tls: CRL support

Support for certificate revocation lists.
Patch by Couprie Geoffroy  geoffroy.couprie atosorigin com
(FS#88) ported to 3.1 (config framework, relative pathname support)
and with more docs.

Closes FS#88.

NEWS

@@ -101,6 +101,7 @@ modules:
            blst_rpl_clear_ignore(mask): like blst_rpl_ignore(mask), but
             clears instead of setting.
    - tls:
+          certificate revocation list (CRL) support.
           asynchronous TLS support
           new TLS RPCs (tls.info, tls.options), tls.list more detailed.
           removed handshake_timeout and send_timeout module parameters /
@@ -108,6 +109,7 @@ modules:
             (tcp_connect_timeout and tcp_send_timeout).
           runtime config support
           more config options:
+            crl - certificate revocation list file path (PEM format).
             send_close_notify - enables/disables sending close notify
               alerts prior to closing the corresponding TCP connection.
               Sending the close notify prior to tcp shutdown is "nicer"

config.h

@@ -52,7 +52,7 @@
 #define TLS_PKEY_FILE "cert.pem" 	/*!< The certificate private key file */
 #define TLS_CERT_FILE "cert.pem"	/*!< The certificate file */
 #define TLS_CA_FILE 0			/*!< no CA list file by default */
-
+#define TLS_CRL_FILE 0 /*!< no CRL by default */
 
 #define MAX_LISTEN 16			/*!< maximum number of addresses on which we will listen */
 

modules/tls/README

@@ -23,28 +23,29 @@ Andrei Pelinescu-Onciul
         1.9.2. certificate (string)
         1.9.3. private_key (string)
         1.9.4. ca_list (string)
-        1.9.5. verify_certificate (boolean)
-        1.9.6. verify_depth (integer)
-        1.9.7. require_certificate (boolean)
-        1.9.8. cipher_list (string)
-        1.9.9. send_timeout (int)
-        1.9.10. handshake_timeout (int)
-        1.9.11. connection_timeout (int)
-        1.9.12. tls_disable_compression (boolean)
-        1.9.13. ssl_release_buffers (integer)
-        1.9.14. ssl_free_list_max_len (integer)
-        1.9.15. ssl_max_send_fragment (integer)
-        1.9.16. ssl_read_ahead (boolean)
-        1.9.17. send_close_notify (boolean)
-        1.9.18. con_ct_wq_max (integer)
-        1.9.19. ct_wq_max (integer)
-        1.9.20. ct_wq_blk_size (integer)
-        1.9.21. tls_log (int)
-        1.9.22. tls_debug (int)
-        1.9.23. low_mem_threshold1 (integer)
-        1.9.24. low_mem_threshold2 (integer)
-        1.9.25. tls_force_run (boolean)
-        1.9.26. config (string)
+        1.9.5. crl (string)
+        1.9.6. verify_certificate (boolean)
+        1.9.7. verify_depth (integer)
+        1.9.8. require_certificate (boolean)
+        1.9.9. cipher_list (string)
+        1.9.10. send_timeout (int)
+        1.9.11. handshake_timeout (int)
+        1.9.12. connection_timeout (int)
+        1.9.13. tls_disable_compression (boolean)
+        1.9.14. ssl_release_buffers (integer)
+        1.9.15. ssl_free_list_max_len (integer)
+        1.9.16. ssl_max_send_fragment (integer)
+        1.9.17. ssl_read_ahead (boolean)
+        1.9.18. send_close_notify (boolean)
+        1.9.19. con_ct_wq_max (integer)
+        1.9.20. ct_wq_max (integer)
+        1.9.21. ct_wq_blk_size (integer)
+        1.9.22. tls_log (int)
+        1.9.23. tls_debug (int)
+        1.9.24. low_mem_threshold1 (integer)
+        1.9.25. low_mem_threshold2 (integer)
+        1.9.26. tls_force_run (boolean)
+        1.9.27. config (string)
 
    1.10. Functions
 
@@ -363,8 +364,7 @@ modparam("tls", "private", "/usr/local/etc/ser/my_pkey.pem")
 
    Sets the CA list file name. This file contains a list of all the
    trusted CAs certificates. If a signature in a certificate chain belongs
-   to one of the listed CAs, the authentication will succeed. See also
-   verify_certificate, verify_depth and require_certificate.
+   to one of the listed CAs, the authentication will succeed.
 
    If the file name starts with a '.' the path will be relative to the
    working directory (at runtime). If it starts with a '/' it will be an
@@ -378,12 +378,61 @@ modparam("tls", "private", "/usr/local/etc/ser/my_pkey.pem")
    certificate in the PEM format to one file, e.g.: for f in
    trusted_cas/*.pem ; do cat "$f" >> ca_list.pem ; done .
 
+   See also verify_certificate, verify_depth, require_certificate and crl.
+
    Example 6. Set ca_list parameter
 ...
 modparam("tls", "ca_list", "/usr/local/etc/ser/ca_list.pem")
 ...
 
-1.9.5. verify_certificate (boolean)
+1.9.5. crl (string)
+
+   Sets the certificate revocation list file name. This file contains a
+   list of revoked certificates. Any attempt to verify a revoked
+   certificate will fail.
+
+   If not set, no crl list will be used.
+
+   If the file name starts with a '.' the path will be relative to the
+   working directory (at runtime). If it starts with a '/' it will be an
+   absolute path and if it starts with anything else the path will be
+   relative to the main config file directory (e.g.: for ser -f
+   /etc/ser/ser.cfg it will be relative to /etc/ser/).
+
+Note
+
+   If set, require_certificate should also be set or it will not have any
+   effect.
+
+   By default the crl file is not set.
+
+   To update the crl in a running ser, make sure you configure tls via a
+   separate tls config file (the config modparam) and issue a tls.reload
+   RPC call, e.g.:
+ $ sercmd tls.reload
+
+   A quick way to create the CRL in PEM format, using openssl is:
+ $ openssl ca -gencrl -keyfile cacert.key -cert cacert.pem -out my_crl.pem
+
+   my_crl.pem will contain the signed list of the revoked certificates.
+
+   To revoke a certificate use something like:
+ $ openssl ca -revoke bad_cert.pem -keyfile cacert.key -cert cacert.pem
+
+   and then refresh the crl file using the command above.
+
+   To display the CRL contents use:
+ $ openssl crl -in crl.pem -noout -text
+
+   See also ca_list, verify_certificate, verify_depth and
+   require_certificate.
+
+   Example 7. Set crl parameter
+...
+modparam("tls", "crl", "/usr/local/etc/ser/crl.pem")
+...
+
+1.9.6. verify_certificate (boolean)
 
    If enabled it will force certificate verification. For more information
    see the verify(1) openssl man page.
@@ -395,12 +444,12 @@ modparam("tls", "ca_list", "/usr/local/etc/ser/ca_list.pem")
 
    By default the certificate verification is off.
 
-   Example 7. Set verify_certificate parameter
+   Example 8. Set verify_certificate parameter
 ...
 modparam("tls", "verify_certificate", 1)
 ...
 
-1.9.6. verify_depth (integer)
+1.9.7. verify_depth (integer)
 
    Sets how far up the certificate chain will the certificate verification
    go in the search for a trusted CA.
@@ -409,12 +458,12 @@ modparam("tls", "verify_certificate", 1)
 
    The default value is 9.
 
-   Example 8. Set verify_depth parameter
+   Example 9. Set verify_depth parameter
 ...
 modparam("tls", "verify_depth", 9)
 ...
 
-1.9.7. require_certificate (boolean)
+1.9.8. require_certificate (boolean)
 
    When enabled it will require a certificate from a client. If the client
    does not offer a certificate and verify_certificate is on, the
@@ -422,12 +471,12 @@ modparam("tls", "verify_depth", 9)
 
    The default value is off.
 
-   Example 9. Set require_certificate parameter
+   Example 10. Set require_certificate parameter
 ...
 modparam("tls", "require_certificate", 1)
 ...
 
-1.9.8. cipher_list (string)
+1.9.9. cipher_list (string)
 
    Sets the list of accepted ciphers. The list consists of cipher strings
    separated by colons. For more information on the cipher list format see
@@ -436,24 +485,24 @@ modparam("tls", "require_certificate", 1)
    The default value is not set (all the Openssl supported ciphers are
    enabled).
 
-   Example 10. Set cipher_list parameter
+   Example 11. Set cipher_list parameter
 ...
 modparam("tls", "cipher_list", "HIGH")
 ...
 
-1.9.9. send_timeout (int)
+1.9.10. send_timeout (int)
 
    This parameter is obsolete and cannot be used in newer TLS versions (>
    sip-router 3.0). In these versions the send_timeout is replaced by
    tcp_send_timeout (common with all the tcp connections).
 
-1.9.10. handshake_timeout (int)
+1.9.11. handshake_timeout (int)
 
    This parameter is obsolete and cannot be used in newer TLS versions (>
    sip-router 3.0). In these versions the handshake_timeout is replaced by
    tcp_connect_timeout (common with all the tcp connections).
 
-1.9.11. connection_timeout (int)
+1.9.12. connection_timeout (int)
 
    Sets the amount of time after which an idle TLS connection will be
    closed, if no I/O ever occured after the initial open. If an I/O event
@@ -467,15 +516,15 @@ modparam("tls", "cipher_list", "HIGH")
    It can be changed also at runtime, via the RPC interface and config
    framework. The config variable name is tls.connection_timeout.
 
-   Example 11. Set connection_timeout parameter
+   Example 12. Set connection_timeout parameter
 ...
 modparam("tls", "connection_timeout", 60)
 ...
 
-   Example 12. Set tls.connection_timeout at runtime
+   Example 13. Set tls.connection_timeout at runtime
  $ sercmd cfg.set_now_int tls connection_timeout 180
 
-1.9.12. tls_disable_compression (boolean)
+1.9.13. tls_disable_compression (boolean)
 
    If set compression over SSL/TLS will be disabled. Note that compression
    uses a lot of memory (about 10x more then with the compression
@@ -484,12 +533,12 @@ modparam("tls", "connection_timeout", 60)
 
    By default compression is disabled.
 
-   Example 13. Set tls_disable_compression parameter
+   Example 14. Set tls_disable_compression parameter
 ...
 modparam("tls", "tls_disable_compression", 0) # enable
 ...
 
-1.9.13. ssl_release_buffers (integer)
+1.9.14. ssl_release_buffers (integer)
 
    Release internal OpenSSL read or write buffers as soon as they are no
    longer needed. Combined with ssl_free_list_max_len has the potential of
@@ -508,10 +557,10 @@ Note
    This option is supported only for OpenSSL versions >= 1.0.0. On all the
    other versions attempting to change the default will trigger an error.
 
-   Example 14. Set ssl_release_buffers parameter
+   Example 15. Set ssl_release_buffers parameter
 modparam("tls", "ssl_release_buffers", 1)
 
-1.9.14. ssl_free_list_max_len (integer)
+1.9.15. ssl_free_list_max_len (integer)
 
    Sets the maximum number of free memory chunks, that OpenSSL will keep
    per connection. Setting it to 0 would cause any unused memory chunk to
@@ -531,10 +580,10 @@ Note
    This option is supported only for OpenSSL versions >= 1.0.0. On all the
    other versions attempting to change the default will trigger an error.
 
-   Example 15. Set ssl_freelist_max_len parameter
+   Example 16. Set ssl_freelist_max_len parameter
 modparam("tls", "ssl_freelist_max_len", 0)
 
-1.9.15. ssl_max_send_fragment (integer)
+1.9.16. ssl_max_send_fragment (integer)
 
    Sets the maximum number of bytes (from the clear text) sent into one
    TLS or SSL record. Valid values are between 512 and 16384. Note however
@@ -566,10 +615,10 @@ Note
    This option is supported only for OpenSSL versions >= 0.9.9. On all the
    other versions attempting to change the default will trigger an error.
 
-   Example 16. Set ssl_max_send_fragment parameter
+   Example 17. Set ssl_max_send_fragment parameter
 modparam("tls", "ssl_max_send_fragment", 4096)
 
-1.9.16. ssl_read_ahead (boolean)
+1.9.17. ssl_read_ahead (boolean)
 
    Enables read ahead, reducing the number of internal OpenSSL BIO read()
    calls. This option has only debugging value, in normal circumstances it
@@ -588,10 +637,10 @@ modparam("tls", "ssl_max_send_fragment", 4096)
 
    By default the value is 0 (disabled).
 
-   Example 17. Set ssl_read_ahead parameter
+   Example 18. Set ssl_read_ahead parameter
 modparam("tls", "ssl_read_ahead", 1)
 
-1.9.17. send_close_notify (boolean)
+1.9.18. send_close_notify (boolean)
 
    Enables/disables sending close notify alerts prior to closing the
    corresponding TCP connection. Sending the close notify prior to tcp
@@ -604,15 +653,15 @@ modparam("tls", "ssl_read_ahead", 1)
    It can be changed also at runtime, via the RPC interface and config
    framework. The config variable name is tls.send_close_notify.
 
-   Example 18. Set send_close_notify parameter
+   Example 19. Set send_close_notify parameter
 ...
 modparam("tls", "send_close_notify", 1)
 ...
 
-   Example 19. Set tls.send_close_notify at runtime
+   Example 20. Set tls.send_close_notify at runtime
  $ sercmd cfg.set_now_int tls send_close_notify 1
 
-1.9.18. con_ct_wq_max (integer)
+1.9.19. con_ct_wq_max (integer)
 
    Sets the maximum allowed per connection clear-text send queue size in
    bytes. This queue is used when data cannot be encrypted and sent
@@ -623,15 +672,15 @@ modparam("tls", "send_close_notify", 1)
    It can be changed also at runtime, via the RPC interface and config
    framework. The config variable name is tls.con_ct_wq_max.
 
-   Example 20. Set con_ct_wq_max parameter
+   Example 21. Set con_ct_wq_max parameter
 ...
 modparam("tls", "con_ct_wq_max", 1048576)
 ...
 
-   Example 21. Set tls.con_ct_wq_max at runtime
+   Example 22. Set tls.con_ct_wq_max at runtime
  $ sercmd cfg.set_now_int tls con_ct_wq_max 1048576
 
-1.9.19. ct_wq_max (integer)
+1.9.20. ct_wq_max (integer)
 
    Sets the maximum total number of bytes queued in all the clear-text
    send queues. These queues are used when data cannot be encrypted and
@@ -642,15 +691,15 @@ modparam("tls", "con_ct_wq_max", 1048576)
    It can be changed also at runtime, via the RPC interface and config
    framework. The config variable name is tls.ct_wq_max.
 
-   Example 22. Set ct_wq_max parameter
+   Example 23. Set ct_wq_max parameter
 ...
 modparam("tls", "ct_wq_max", 4194304)
 ...
 
-   Example 23. Set tls.ct_wq_max at runtime
+   Example 24. Set tls.ct_wq_max at runtime
  $ sercmd cfg.set_now_int tls ct_wq_max 4194304
 
-1.9.20. ct_wq_blk_size (integer)
+1.9.21. ct_wq_blk_size (integer)
 
    Minimum block size for the internal clear-text send queues (debugging /
    advanced tunning). Good values are multiple of typical datagram sizes.
@@ -660,15 +709,15 @@ modparam("tls", "ct_wq_max", 4194304)
    It can be changed also at runtime, via the RPC interface and config
    framework. The config variable name is tls.ct_wq_blk_size.
 
-   Example 24. Set ct_wq_blk_size parameter
+   Example 25. Set ct_wq_blk_size parameter
 ...
 modparam("tls", "ct_wq_blk_size", 2048)
 ...
 
-   Example 25. Set tls.ct_wq_max at runtime
+   Example 26. Set tls.ct_wq_max at runtime
  $ sercmd cfg.set_now_int tls ct_wq_blk_size 2048
 
-1.9.21. tls_log (int)
+1.9.22. tls_log (int)
 
    Sets the log level at which TLS related messages will be logged.
 
@@ -677,16 +726,16 @@ modparam("tls", "ct_wq_blk_size", 2048)
    It can be changed also at runtime, via the RPC interface and config
    framework. The config variable name is tls.log.
 
-   Example 26. Set tls_log parameter
+   Example 27. Set tls_log parameter
 ...
 # ignore TLS messages if SIP-router is started with debug less than 10
 modparam("tls", "tls_log", 10)
 ...
 
-   Example 27. Set tls.log at runtime
+   Example 28. Set tls.log at runtime
  $ sercmd cfg.set_now_int tls log 10
 
-1.9.22. tls_debug (int)
+1.9.23. tls_debug (int)
 
    Sets the log level at which TLS debug messages will be logged. Note
    that TLS debug messages are enabled only if the TLS module is compiled
@@ -698,16 +747,16 @@ modparam("tls", "tls_log", 10)
    It can be changed also at runtime, via the RPC interface and config
    framework. The config variable name is tls.debug.
 
-   Example 28. Set tls_debug parameter
+   Example 29. Set tls_debug parameter
 ...
 # ignore TLS debug messages if SIP-router is started with debug less than 10
 modparam("tls", "tls_debug", 10)
 ...
 
-   Example 29. Set tls.debug at runtime
+   Example 30. Set tls.debug at runtime
  $ sercmd cfg.set_now_int tls debug 10
 
-1.9.23. low_mem_threshold1 (integer)
+1.9.24. low_mem_threshold1 (integer)
 
    Sets the minimal free memory from which attempts to open or accept new
    TLS connections will start to fail. The value is expressed in KB.
@@ -730,15 +779,15 @@ modparam("tls", "tls_debug", 10)
 
    See also low_mem_threshold2.
 
-   Example 30. Set low_mem_threshold1 parameter
+   Example 31. Set low_mem_threshold1 parameter
 ...
 modparam("tls", "low_mem_threshold1", -1)
 ...
 
-   Example 31. Set tls.low_mem_threshold1 at runtime
+   Example 32. Set tls.low_mem_threshold1 at runtime
  $ sercmd cfg.set_now_int tls low_mem_threshold1 2048
 
-1.9.24. low_mem_threshold2 (integer)
+1.9.25. low_mem_threshold2 (integer)
 
    Sets the minimal free memory from which TLS operations on already
    established TLS connections will start to fail preemptively. The value
@@ -762,15 +811,15 @@ modparam("tls", "low_mem_threshold1", -1)
 
    See also low_mem_threshold1.
 
-   Example 32. Set low_mem_threshold2 parameter
+   Example 33. Set low_mem_threshold2 parameter
 ...
 modparam("tls", "low_mem_threshold2", -1)
 ...
 
-   Example 33. Set tls.low_mem_threshold2 at runtime
+   Example 34. Set tls.low_mem_threshold2 at runtime
  $ sercmd cfg.set_now_int tls low_mem_threshold2 1024
 
-1.9.25. tls_force_run (boolean)
+1.9.26. tls_force_run (boolean)
 
    If enabled SIP-router will start even if some of the openssl sanity
    checks fail (turn it on at your own risk).
@@ -786,12 +835,12 @@ modparam("tls", "low_mem_threshold2", -1)
 
    By default tls_force_run is disabled.
 
-   Example 34. Set tls_force_run parameter
+   Example 35. Set tls_force_run parameter
 ...
 modparam("tls", "tls_force_run", 11)
 ...
 
-1.9.26. config (string)
+1.9.27. config (string)
 
    Sets the name of the TLS specific config file.
 
@@ -817,6 +866,7 @@ modparam("tls", "tls_force_run", 11)
      * certificate
      * verify_depth
      * ca_list
+     * crl
      * cipher_list
 
    All the parameters that take filenames as values will be resolved using
@@ -829,14 +879,15 @@ modparam("tls", "tls_force_run", 11)
    client when it initiates a new connection by itself (it connects to
    something).
 
-   Example 35. Short config file
+   Example 36. Short config file
 [server:default]
 method = TLSv1
-verify_certificate = no
-require_certificate = no
+verify_certificate = yes
+require_certificate = yes
 private_key = default_key.pem
 certificate = default_cert.pem
 ca_list = default_ca.pem
+crl = default_crl.pem
 
 [client:default]
 verify_certificate = yes
@@ -855,7 +906,7 @@ ca_list = local_ca.pem
    For a more complete example check the tls.cfg distributed with the
    SIP-router source (sip_router/modules/tls/tls.cfg).
 
-   Example 36. Set config parameter
+   Example 37. Set config parameter
 ...
 modparam("tls", "config", "/usr/local/etc/ser/tls.cfg")
 ...
@@ -863,7 +914,7 @@ modparam("tls", "config", "/usr/local/etc/ser/tls.cfg")
    It can be changed also at runtime. The new config will not be loaded
    immediately, but after the first tls.reload RPC call.
 
-   Example 37. Change and reload tls config at runtime
+   Example 38. Change and reload tls config at runtime
  $ sercmd cfg.set_now_string tls config "/usr/local/etc/ser/new_tls.cfg"
  $ sercmd tls.reload
 
@@ -878,7 +929,7 @@ modparam("tls", "config", "/usr/local/etc/ser/tls.cfg")
    , the peer presented an X509 certificate and the certificate chain
    verified ok. It can be used only in a request route.
 
-   Example 38. is_peer_verified usage
+   Example 39. is_peer_verified usage
         if (proto==TLS && !is_peer_verified()){
                 sl_send_reply("400", "No certificate or verification failed");
                 drop;

modules/tls/doc/params.xml

@@ -125,10 +125,7 @@ modparam("tls", "private", "/usr/local/etc/ser/my_pkey.pem")
 	<para>
 		Sets the CA list file name. This file contains a list of all the
 		trusted CAs certificates. If a signature in a certificate chain belongs
-		to one of the listed CAs, the authentication will succeed. See also
-		<emphasis>verify_certificate</emphasis>,
-		<emphasis>verify_depth</emphasis> and
-		<emphasis>require_certificate</emphasis>.
+		to one of the listed CAs, the authentication will succeed.
 	</para>
 	<para>
 		If the file name starts with a '.' the path will be relative to the
@@ -145,6 +142,13 @@ modparam("tls", "private", "/usr/local/etc/ser/my_pkey.pem")
 		certificate in the PEM format to one file, e.g.: for f in
 		trusted_cas/*.pem ; do cat "$f" &gt;&gt; ca_list.pem ; done .
 	</para>
+	<para>
+		See also
+		<emphasis>verify_certificate</emphasis>,
+		<emphasis>verify_depth</emphasis>,
+		<emphasis>require_certificate</emphasis> and
+		<emphasis>crl</emphasis>.
+	</para>
 	<example>
 	    <title>Set <varname>ca_list</varname> parameter</title>
 	    <programlisting>
@@ -155,6 +159,76 @@ modparam("tls", "ca_list", "/usr/local/etc/ser/ca_list.pem")
 	</example>
 	</section>
 
+<section id="crl">
+	<title><varname>crl</varname> (string)</title>
+	<para>
+		Sets the certificate revocation list file name. This file contains a
+		list of revoked certificates. Any attempt to verify a revoked
+		certificate will fail.
+	</para>
+	<para>
+		If not set, no crl list will be used.
+	</para>
+	<para>
+		If the file name starts with a '.' the path will be relative to the
+		working directory (<emphasis>at runtime</emphasis>). If it starts
+		with a '/' it will be an absolute path and if it starts with anything
+		else the path will be relative to the main config file directory
+		(e.g.: for ser -f /etc/ser/ser.cfg it will be relative to /etc/ser/).
+	</para>
+	<note><para>
+		If set, <varname>require_certificate</varname> should also be set
+		or it will not have any effect.
+	</para></note>
+	<para>
+		By default the crl file is not set.
+	</para>
+	<para>
+		To update the crl in a running ser, make sure you configure tls
+		via a separate tls config file
+		(the <varname>config</varname> modparam) and issue a tls.reload
+		RPC call, e.g.:
+		<programlisting>
+ $ &sercmd; tls.reload
+		</programlisting>
+	</para>
+	<para>
+		A quick way to create the CRL in PEM format, using openssl is:
+		<programlisting>
+ $ openssl ca -gencrl -keyfile cacert.key -cert cacert.pem -out my_crl.pem
+		</programlisting>
+		 my_crl.pem will contain the signed list of the revoked certificates.
+	</para>
+	<para>
+		To revoke a certificate use something like:
+		<programlisting>
+ $ openssl ca -revoke bad_cert.pem -keyfile cacert.key -cert cacert.pem
+		</programlisting>
+		and then refresh the crl file using the command above.
+	</para>
+	<para>
+		To display the CRL contents use:
+		<programlisting>
+ $ openssl crl -in crl.pem -noout -text
+		</programlisting>
+	</para>
+	<para>
+		See also
+		<emphasis>ca_list</emphasis>,
+		<emphasis>verify_certificate</emphasis>,
+		<emphasis>verify_depth</emphasis> and
+		<emphasis>require_certificate</emphasis>.
+	</para>
+	<example>
+	    <title>Set <varname>crl</varname> parameter</title>
+	    <programlisting>
+...
+modparam("tls", "crl", "/usr/local/etc/ser/crl.pem")
+...
+	    </programlisting>
+	</example>
+	</section>
+
 <section id="verify_certificate">
 	<title><varname>verify_certificate</varname> (boolean)</title>
 	<para>
@@ -820,6 +894,7 @@ modparam("tls", "tls_force_run", 11)
 			<listitem><para>certificate</para></listitem>
 			<listitem><para>verify_depth</para></listitem>
 			<listitem><para>ca_list</para></listitem>
+			<listitem><para>crl</para></listitem>
 			<listitem><para>cipher_list</para></listitem>
 	</itemizedlist>
 	<para>
@@ -839,11 +914,12 @@ modparam("tls", "tls_force_run", 11)
 	<programlisting>
 [server:default]
 method = TLSv1
-verify_certificate = no
-require_certificate = no
+verify_certificate = yes
+require_certificate = yes
 private_key = default_key.pem
 certificate = default_cert.pem
 ca_list = default_ca.pem
+crl = default_crl.pem
 
 [client:default]
 verify_certificate = yes

modules/tls/tls.cfg

@@ -19,6 +19,8 @@ verify_certificate = no
 require_certificate = no
 private_key = ./modules/tls/ser-selfsigned.key
 certificate = ./modules/tls/ser-selfsigned.pem
+#ca_list = ./modules/tls/cacert.pem
+#crl = ./modules/tls/crl.pem
 
 # This is the default client domain, settings
 # in this domain will be used for all outgoing
@@ -46,6 +48,7 @@ require_certificate = yes
 #certificate = ./modules/tls/local_cert.pem
 #verify_depth = 3
 #ca_list = local_ca.pem
+#crl = local_crl.pem
 
 # Special settings for the iptel.org public SIP
 # server. We do not verify the certificate of the
@@ -59,3 +62,4 @@ require_certificate = yes
 #certificate = ./modules/tls/iptel_client.pem
 #private_key = ./modules/tls/iptel_key.pem
 #ca_list = ./modules/tls/iptel_ca.pem
+#crl = ./modules/tls/iptel_crl.pem

modules/tls/tls_cfg.c

@@ -41,6 +41,7 @@ struct cfg_group_tls default_tls_cfg = {
 	0, /* require_certificate */
 	STR_NULL, /* private_key (default value set in fix_tls_cfg) */
 	STR_NULL, /* ca_list (default value set in fix_tls_cfg) */
+	STR_NULL, /* crl (default value set in fix_tls_cfg) */
 	STR_NULL, /* certificate (default value set in fix_tls_cfg) */
 	STR_NULL, /* cipher_list (default value set in fix_tls_cfg) */
 	0, /* session_cache */
@@ -151,6 +152,9 @@ cfg_def_t	tls_cfg_def[] = {
 		" contained in the certificate file" },
 	{"ca_list", CFG_VAR_STR | CFG_READONLY, 0, 0, 0, 0,
 		"name of the file containing the trusted CA list (pem format)" },
+	{"crl", CFG_VAR_STR | CFG_READONLY, 0, 0, 0, 0,
+		"name of the file containing the CRL  (certificare revocation list"
+			" in pem format)" },
 	{"certificate", CFG_VAR_STR | CFG_READONLY, 0, 0, 0, 0,
 		"name of the file containing the certificate (pem format)" },
 	{"cipher_list", CFG_VAR_STR | CFG_READONLY, 0, 0, 0, 0,
@@ -263,6 +267,8 @@ int fix_tls_cfg(struct cfg_group_tls* cfg)
 		return -1;
 	if (fix_initial_pathname(&cfg->ca_list, TLS_CA_FILE) < 0 )
 		return -1;
+	if (fix_initial_pathname(&cfg->crl, TLS_CRL_FILE) < 0 )
+		return -1;
 	if (fix_initial_pathname(&cfg->certificate, TLS_CERT_FILE) < 0)
 		return -1;
 	

modules/tls/tls_cfg.h

@@ -48,6 +48,7 @@ struct cfg_group_tls {
 	int require_cert;
 	str private_key;
 	str ca_list;
+	str crl;
 	str certificate;
 	str cipher_list;
 	int session_cache;

modules/tls/tls_config.c

@@ -159,6 +159,7 @@ static cfg_option_t options[] = {
 	{"cert_file",           .f = cfg_parse_str_opt, .flags = CFG_STR_SHMMEM},
 	{"cipher_list",         .f = cfg_parse_str_opt, .flags = CFG_STR_SHMMEM},
 	{"ca_list",             .f = cfg_parse_str_opt, .flags = CFG_STR_SHMMEM},
+	{"crl",                 .f = cfg_parse_str_opt, .flags = CFG_STR_SHMMEM},
 	{0}
 };
 
@@ -181,6 +182,7 @@ static void update_opt_variables(void)
 	options[11].param = &domain->cert_file;
 	options[12].param = &domain->cipher_list;
 	options[13].param = &domain->ca_file;
+	options[14].param = &domain->crl_file;
 }
 
 

modules/tls/tls_domain.c

@@ -90,6 +90,7 @@ void tls_free_domain(tls_domain_t* d)
 
 	if (d->cipher_list.s) shm_free(d->cipher_list.s);
 	if (d->ca_file.s) shm_free(d->ca_file.s);
+	if (d->crl_file.s) shm_free(d->crl_file.s);
 	if (d->pkey_file.s) shm_free(d->pkey_file.s);
 	if (d->cert_file.s) shm_free(d->cert_file.s);
 	shm_free(d);
@@ -192,6 +193,13 @@ static int fill_missing(tls_domain_t* d, tls_domain_t* parent)
 		d->ca_file.len = parent->ca_file.len;
 	}
 	LOG(L_INFO, "%s: ca_list='%s'\n", tls_domain_str(d), d->ca_file.s);
+
+	if (!d->crl_file.s) {
+		if (shm_asciiz_dup(&d->crl_file.s, parent->crl_file.s) < 0)
+			return -1;
+		d->crl_file.len = parent->crl_file.len;
+	}
+	LOG(L_INFO, "%s: crl='%s'\n", tls_domain_str(d), d->crl_file.s);
 	
 	if (d->require_cert == -1) d->require_cert = parent->require_cert;
 	LOG(L_INFO, "%s: require_certificate=%d\n", tls_domain_str(d),
@@ -425,6 +433,40 @@ static int load_ca_list(tls_domain_t* d)
 	return 0;
 }
 
+
+/*
+ * Load CRL from file
+ */
+static int load_crl(tls_domain_t* d)
+{
+	int i;
+	int procs_no;
+	X509_STORE* store;
+
+	if (!d->crl_file.s) {
+		DBG("%s: No CRL configured\n", tls_domain_str(d));
+		return 0;
+	}
+	if (fix_shm_pathname(&d->crl_file) < 0)
+		return -1;
+	LOG(L_INFO, "%s: Certificate revocation lists will be checked (%.*s)\n",
+				tls_domain_str(d), d->crl_file.len, d->crl_file.s);
+	procs_no=get_max_procs();
+	for(i = 0; i < procs_no; i++) {
+		if (SSL_CTX_load_verify_locations(d->ctx[i], d->crl_file.s, 0) != 1) {
+			ERR("%s: Unable to load certificate revocation list '%s'\n",
+					tls_domain_str(d), d->crl_file.s);
+			TLS_ERR("load_crl:");
+			return -1;
+		}
+		store = SSL_CTX_get_cert_store(d->ctx[i]);
+		X509_STORE_set_flags(store,
+						X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
+	}
+	return 0;
+}
+
+
 #define C_DEF_NO_KRB5 "DEFAULT:!KRB5"
 #define C_DEF_NO_KRB5_LEN (sizeof(C_DEF_NO_KRB5)-1)
 #define C_NO_KRB5_SUFFIX ":!KRB5"
@@ -687,6 +729,7 @@ static int fix_domain(tls_domain_t* d, tls_domain_t* def)
 	
 	if (load_cert(d) < 0) return -1;
 	if (load_ca_list(d) < 0) return -1;
+	if (load_crl(d) < 0) return -1;
 	if (set_cipher_list(d) < 0) return -1;
 	if (set_verification(d) < 0) return -1;
 	if (set_ssl_options(d) < 0) return -1;

modules/tls/tls_domain.h

@@ -80,6 +80,7 @@ typedef struct tls_domain {
 	int require_cert;
 	str cipher_list;
 	enum tls_method method;
+	str crl_file;
 	struct tls_domain* next;
 } tls_domain_t;
 

modules/tls/tls_mod.c

@@ -119,6 +119,7 @@ static tls_domain_t mod_params = {
 	0,                /* Require certificate */
 	{0, },                /* Cipher list */
 	TLS_USE_TLSv1,    /* TLS method */
+	STR_STATIC_INIT(TLS_CRL_FILE), /* Certificate revocation list */
 	0                 /* next */
 };
 
@@ -139,6 +140,7 @@ tls_domain_t srv_defaults = {
 	0,                /* Require certificate */
 	{0, 0},                /* Cipher list */
 	TLS_USE_TLSv1,    /* TLS method */
+	STR_STATIC_INIT(TLS_CRL_FILE), /* Certificate revocation list */
 	0                 /* next */
 };
 
@@ -159,6 +161,7 @@ tls_domain_t cli_defaults = {
 	0,                /* Require certificate */
 	{0, 0},                /* Cipher list */
 	TLS_USE_TLSv1,    /* TLS method */
+	{0, 0}, /* Certificate revocation list */
 	0                 /* next */
 };
 
@@ -192,6 +195,7 @@ static param_export_t params[] = {
 	{"private_key",         PARAM_STR,    &default_tls_cfg.private_key  },
 	{"ca_list",             PARAM_STR,    &default_tls_cfg.ca_list      },
 	{"certificate",         PARAM_STR,    &default_tls_cfg.certificate  },
+	{"crl",                 PARAM_STR,    &default_tls_cfg.crl          },
 	{"cipher_list",         PARAM_STR,    &default_tls_cfg.cipher_list  },
 	{"connection_timeout",  PARAM_INT,    &default_tls_cfg.con_lifetime },
 	{"tls_log",             PARAM_INT,    &default_tls_cfg.log          },
@@ -299,6 +303,7 @@ static int mod_init(void)
 	mod_params.require_cert = cfg_get(tls, tls_cfg, require_cert);
 	mod_params.pkey_file = cfg_get(tls, tls_cfg, private_key);
 	mod_params.ca_file = cfg_get(tls, tls_cfg, ca_list);
+	mod_params.crl_file = cfg_get(tls, tls_cfg, crl);
 	mod_params.cert_file = cfg_get(tls, tls_cfg, certificate);
 	mod_params.cipher_list = cfg_get(tls, tls_cfg, cipher_list);