Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support multiple CRLs with multiple CRLs #1442

Closed
charlemagnelasse opened this issue Oct 2, 2019 · 2 comments

Comments

@charlemagnelasse
Copy link

@charlemagnelasse charlemagnelasse commented Oct 2, 2019

I have a root CA and multiple subCAs. The server must gather the CRLs from the subCAs and put it in a single file. This works fine on other servers (Apache) but whenever I try to load it in mosquitto 1.6.7 (under Debian Buster) it just stops the process without any output.

1570004494: mosquitto version 1.6.7 starting
1570004494: Config loaded from /etc/mosquitto/mosquitto.conf.
1570004494: Opening ipv4 listen socket on port 1883.
1570004494: Opening ipv6 listen socket on port 1883.
1570004494: Error: Unable to load certificate revocation file "/etc/mosquitto/all.crl.pem". Check crlfile.
1570004494: Error: Protocol not available

What is the correct way to have the CRLs for all subCAs?

@charlemagnelasse

This comment has been minimized.

Copy link
Author

@charlemagnelasse charlemagnelasse commented Oct 2, 2019

Seems like X509_load_cert_file will return a 1 when one CRL was loaded and 2 when two was loaded and so on. And it seems like mosquitto only allows 1 certificate to be loaded in net__load_crl_file (because it checks directly for 1):

So maybe a solution would be:

diff --git a/src/net.c b/src/net.c
index 392972f..cc115e5 100644
--- a/src/net.c
+++ b/src/net.c
@@ -426,7 +426,7 @@ int net__load_crl_file(struct mosquitto__listener *listener)
 	}
 	lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
 	rc = X509_load_crl_file(lookup, listener->crlfile, X509_FILETYPE_PEM);
-	if(rc != 1){
+	if(rc < 1){
 		log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load certificate revocation file \"%s\". Check crlfile.", listener->crlfile);
 		net__print_error(MOSQ_LOG_ERR, "Error: %s");
 		return 1;
@ralight

This comment has been minimized.

Copy link
Contributor

@ralight ralight commented Oct 2, 2019

Thank you, that does seem like the best solution. I've pushed the change to the fixes branch.

@ralight ralight closed this in cfacd96 Dec 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.