openssl configuration & cert validity checking

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

openssl configuration & cert validity checking

Randy Turner

I think someone has touched on some of this on the list recently, but  
I was curious if there was a way to programmatically (through an API  
call or other) way to patch into OpenSSL's configuration capability -  
I understand the library by default looks at text files on a file  
system for things like root certificates, but if I'm running on an  
embedded system with no hard drive and I don't have a persistent  
storage medium accessible through traditional file I/O calls, how  
would I feed OpenSSL everything it needs to operate correctly?

Also, because I'm on an embedded system, I can't download CRLs to a  
file on a file system because of limited storage. I either have to  
download delta-CRLs (which is no guarantee of a small download), or  
have a way to "stream" CRL data through a verifier process. In this  
way, certificates are checked against a CRL while the data is being  
downloaded into the embedded device. After CRL records have been  
processed, they're thrown away. If we have a "match" in a CRL, we can  
cache that cert as being "revoked" - like a "lookaside list" that we  
check prior to downloading a CRL. Of course the "revoked cert" cache  
would not be persistent because we may not have non-volatile memory  
to store the cache.

If we're using OCSP, a file system is not really an issue, and we can  
cache OCSP responses as well, as supported by the protocol.


Any information on API configuration of all openssl parameters (no  
text files) and certificate validation on a constrained embedded  
device is much appreciated.

Thanks!
Randy

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]