Merge pull request #5175 from darrenmoffat/master

TLS CRL Support Issue 5081

plugins/imtcp/imtcp.c

@@ -144,6 +144,7 @@ struct instanceConf_s {
 	uchar *pszStrmDrvrAuthMode;
 	uchar *pszStrmDrvrPermitExpiredCerts;
 	uchar *pszStrmDrvrCAFile;
+	uchar *pszStrmDrvrCRLFile;
 	uchar *pszStrmDrvrKeyFile;
 	uchar *pszStrmDrvrCertFile;
 	permittedPeers_t *pPermPeersRoot;
@@ -185,6 +186,7 @@ struct modConfData_s {
 	uchar *pszStrmDrvrAuthMode; /* authentication mode to use */
 	uchar *pszStrmDrvrPermitExpiredCerts; /* control how to handly expired certificates */
 	uchar *pszStrmDrvrCAFile;
+	uchar *pszStrmDrvrCRLFile;
 	uchar *pszStrmDrvrKeyFile;
 	uchar *pszStrmDrvrCertFile;
 	permittedPeers_t *pPermPeersRoot;
@@ -370,6 +372,7 @@ createInstance(instanceConf_t **pinst)
 	inst->pszStrmDrvrAuthMode = NULL;
 	inst->pszStrmDrvrPermitExpiredCerts = NULL;
 	inst->pszStrmDrvrCAFile = NULL;
+	inst->pszStrmDrvrCRLFile = NULL;
 	inst->pszStrmDrvrKeyFile = NULL;
 	inst->pszStrmDrvrCertFile = NULL;
 	inst->pPermPeersRoot = NULL;
@@ -526,6 +529,10 @@ addListner(modConfData_t *modConf, instanceConf_t *inst)
 			? modConf->pszStrmDrvrCAFile : inst->pszStrmDrvrCAFile;
 	CHKiRet(tcpsrv.SetDrvrCAFile(pOurTcpsrv, psz));
 
+	psz = (inst->pszStrmDrvrCRLFile == NULL)
+			? modConf->pszStrmDrvrCRLFile : inst->pszStrmDrvrCRLFile;
+	CHKiRet(tcpsrv.SetDrvrCRLFile(pOurTcpsrv, psz));
+
 	psz = (inst->pszStrmDrvrKeyFile == NULL)
 			? modConf->pszStrmDrvrKeyFile : inst->pszStrmDrvrKeyFile;
 	CHKiRet(tcpsrv.SetDrvrKeyFile(pOurTcpsrv, psz));
@@ -628,6 +635,8 @@ CODESTARTnewInpInst
 			inst->pszStrmDrvrPermitExpiredCerts = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
 		} else if(!strcmp(inppblk.descr[i].name, "streamdriver.cafile")) {
 			inst->pszStrmDrvrCAFile = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+		} else if(!strcmp(inppblk.descr[i].name, "streamdriver.crlfile")) {
+			inst->pszStrmDrvrCRLFile = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
 		} else if(!strcmp(inppblk.descr[i].name, "streamdriver.keyfile")) {
 			inst->pszStrmDrvrKeyFile = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
 		} else if(!strcmp(inppblk.descr[i].name, "streamdriver.certfile")) {
@@ -724,6 +733,7 @@ CODESTARTbeginCnfLoad
 	loadModConf->pszStrmDrvrAuthMode = NULL;
 	loadModConf->pszStrmDrvrPermitExpiredCerts = NULL;
 	loadModConf->pszStrmDrvrCAFile = NULL;
+	loadModConf->pszStrmDrvrCRLFile = NULL;
 	loadModConf->pszStrmDrvrKeyFile = NULL;
 	loadModConf->pszStrmDrvrCertFile = NULL;
 	loadModConf->pPermPeersRoot = NULL;
@@ -811,6 +821,8 @@ CODESTARTsetModCnf
 			loadModConf->pszStrmDrvrPermitExpiredCerts = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
 		} else if(!strcmp(modpblk.descr[i].name, "streamdriver.cafile")) {
 			loadModConf->pszStrmDrvrCAFile = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+		} else if(!strcmp(modpblk.descr[i].name, "streamdriver.crlfile")) {
+			loadModConf->pszStrmDrvrCRLFile = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
 		} else if(!strcmp(modpblk.descr[i].name, "streamdriver.keyfile")) {
 			loadModConf->pszStrmDrvrKeyFile = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
 		} else if(!strcmp(modpblk.descr[i].name, "streamdriver.certfile")) {
@@ -937,6 +949,7 @@ CODESTARTfreeCnf
 	free(pModConf->pszStrmDrvrAuthMode);
 	free(pModConf->pszStrmDrvrPermitExpiredCerts);
 	free(pModConf->pszStrmDrvrCAFile);
+	free(pModConf->pszStrmDrvrCRLFile);
 	free(pModConf->pszStrmDrvrKeyFile);
 	free(pModConf->pszStrmDrvrCertFile);
 	if(pModConf->pPermPeersRoot != NULL) {
@@ -949,6 +962,7 @@ CODESTARTfreeCnf
 		free((void*)inst->pszStrmDrvrName);
 		free((void*)inst->pszStrmDrvrPermitExpiredCerts);
 		free((void*)inst->pszStrmDrvrCAFile);
+		free((void*)inst->pszStrmDrvrCRLFile);
 		free((void*)inst->pszStrmDrvrKeyFile);
 		free((void*)inst->pszStrmDrvrCertFile);
 		free((void*)inst->gnutlsPriorityString);

runtime/glbl.c

@@ -115,6 +115,7 @@ static struct cnfparamdescr cnfparamdescr[] = {
 	{ "debug.gnutls", eCmdHdlrNonNegInt, 0 },
 	{ "debug.unloadmodules", eCmdHdlrBinary, 0 },
 	{ "defaultnetstreamdrivercafile", eCmdHdlrString, 0 },
+	{ "defaultnetstreamdrivercrlfile", eCmdHdlrString, 0 },
 	{ "defaultnetstreamdriverkeyfile", eCmdHdlrString, 0 },
 	{ "defaultnetstreamdrivercertfile", eCmdHdlrString, 0 },
 	{ "defaultnetstreamdriver", eCmdHdlrString, 0 },
@@ -262,6 +263,7 @@ SIMP_PROP(ParseHOSTNAMEandTAG, parser.bParseHOSTNAMEandTAG, int)
 SIMP_PROP(OptionDisallowWarning, optionDisallowWarning, int)
 /* We omit setter on purpose, because we want to customize it */
 SIMP_PROP_GET(DfltNetstrmDrvrCAF, pszDfltNetstrmDrvrCAF, uchar*)
+SIMP_PROP_GET(DfltNetstrmDrvrCRLF, pszDfltNetstrmDrvrCRLF, uchar*)
 SIMP_PROP_GET(DfltNetstrmDrvrCertFile, pszDfltNetstrmDrvrCertFile, uchar*)
 SIMP_PROP_GET(DfltNetstrmDrvrKeyFile, pszDfltNetstrmDrvrKeyFile, uchar*)
 SIMP_PROP_GET(NetstrmDrvrCAExtraFiles, pszNetstrmDrvrCAExtraFiles, uchar*)
@@ -450,6 +452,25 @@ setNetstrmDrvrCAExtraFiles(void __attribute__((unused)) *pVal, uchar *pNewVal) {
 	RETiRet;
 }
 
+static rsRetVal
+setDfltNetstrmDrvrCRLF(void __attribute__((unused)) *pVal, uchar *pNewVal) {
+	DEFiRet;
+	FILE *fp;
+	free(loadConf->globals.pszDfltNetstrmDrvrCRLF);
+	fp = fopen((const char*)pNewVal, "r");
+	if(fp == NULL) {
+		LogError(errno, RS_RET_NO_FILE_ACCESS,
+			"error: defaultnetstreamdrivercrlfile file '%s' "
+			"could not be accessed", pNewVal);
+	} else {
+		fclose(fp);
+		loadConf->globals.pszDfltNetstrmDrvrCRLF = pNewVal;
+	}
+
+	RETiRet;
+}
+
+
 static rsRetVal
 setDfltNetstrmDrvrCertFile(void __attribute__((unused)) *pVal, uchar *pNewVal) {
 	DEFiRet;
@@ -926,6 +947,7 @@ CODESTARTobjQueryInterface(glbl)
 	pIf->GetMaxLine = glblGetMaxLine;
 	pIf->GetOptionDisallowWarning = GetOptionDisallowWarning;
 	pIf->GetDfltNetstrmDrvrCAF = GetDfltNetstrmDrvrCAF;
+	pIf->GetDfltNetstrmDrvrCRLF = GetDfltNetstrmDrvrCRLF;
 	pIf->GetDfltNetstrmDrvrCertFile = GetDfltNetstrmDrvrCertFile;
 	pIf->GetDfltNetstrmDrvrKeyFile = GetDfltNetstrmDrvrKeyFile;
 	pIf->GetDfltNetstrmDrvr = GetDfltNetstrmDrvr;
@@ -964,6 +986,8 @@ static rsRetVal resetConfigVariables(uchar __attribute__((unused)) *pp, void __a
 	loadConf->globals.pszDfltNetstrmDrvr = NULL;
 	free(loadConf->globals.pszDfltNetstrmDrvrCAF);
 	loadConf->globals.pszDfltNetstrmDrvrCAF = NULL;
+	free(loadConf->globals.pszDfltNetstrmDrvrCRLF);
+	loadConf->globals.pszDfltNetstrmDrvrCRLF = NULL;
 	free(loadConf->globals.pszDfltNetstrmDrvrKeyFile);
 	loadConf->globals.pszDfltNetstrmDrvrKeyFile = NULL;
 	free(loadConf->globals.pszDfltNetstrmDrvrCertFile);
@@ -1209,6 +1233,9 @@ glblDoneLoadCnf(void)
 		} else if(!strcmp(paramblk.descr[i].name, "defaultnetstreamdrivercafile")) {
 			cstr = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
 			setDfltNetstrmDrvrCAF(NULL, cstr);
+		} else if(!strcmp(paramblk.descr[i].name, "defaultnetstreamdrivercrlfile")) {
+			cstr = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
+			setDfltNetstrmDrvrCRLF(NULL, cstr);
 		} else if(!strcmp(paramblk.descr[i].name, "defaultnetstreamdriver")) {
 			cstr = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
 			setDfltNetstrmDrvr(NULL, cstr);
@@ -1438,6 +1465,8 @@ BEGINAbstractObjClassInit(glbl, 1, OBJ_IS_CORE_MODULE) /* class, version */
 	NULL));
 	CHKiRet(regCfSysLineHdlr((uchar *)"defaultnetstreamdrivercafile", 0, eCmdHdlrGetWord,
 	setDfltNetstrmDrvrCAF, NULL, NULL));
+	CHKiRet(regCfSysLineHdlr((uchar *)"defaultnetstreamdrivercrlfile", 0, eCmdHdlrGetWord,
+	setDfltNetstrmDrvrCRLF, NULL, NULL));
 	CHKiRet(regCfSysLineHdlr((uchar *)"defaultnetstreamdriverkeyfile", 0, eCmdHdlrGetWord,
 	setDfltNetstrmDrvrKeyFile, NULL, NULL));
 	CHKiRet(regCfSysLineHdlr((uchar *)"defaultnetstreamdrivercertfile", 0, eCmdHdlrGetWord,

runtime/glbl.h

@@ -91,6 +91,7 @@ BEGINinterface(glbl) /* name must also be changed in ENDinterface macro! */
 
 	SIMP_PROP(DropMalPTRMsgs, int)
 	SIMP_PROP(DfltNetstrmDrvrCAF, uchar*)
+	SIMP_PROP(DfltNetstrmDrvrCRLF, uchar*)
 	SIMP_PROP(DfltNetstrmDrvrCertFile, uchar*)
 	SIMP_PROP(DfltNetstrmDrvrKeyFile, uchar*)
 	SIMP_PROP(DfltNetstrmDrvr, uchar*)

runtime/netstrm.c

@@ -265,6 +265,15 @@ SetDrvrTlsCAFile(netstrm_t *const pThis, const uchar *const file)
 	RETiRet;
 }
 
+static rsRetVal
+SetDrvrTlsCRLFile(netstrm_t *const pThis, const uchar *const file)
+{
+	DEFiRet;
+	ISOBJ_TYPE_assert(pThis, netstrm);
+	iRet = pThis->Drvr.SetTlsCRLFile(pThis->pDrvrData, file);
+	RETiRet;
+}
+
 static rsRetVal
 SetDrvrTlsKeyFile(netstrm_t *const pThis, const uchar *const file)
 {
@@ -470,6 +479,7 @@ CODESTARTobjQueryInterface(netstrm)
 	pIf->SetDrvrPrioritizeSAN = SetDrvrPrioritizeSAN;
 	pIf->SetDrvrTlsVerifyDepth = SetDrvrTlsVerifyDepth;
 	pIf->SetDrvrTlsCAFile = SetDrvrTlsCAFile;
+	pIf->SetDrvrTlsCRLFile = SetDrvrTlsCRLFile;
 	pIf->SetDrvrTlsKeyFile = SetDrvrTlsKeyFile;
 	pIf->SetDrvrTlsCertFile = SetDrvrTlsCertFile;
 finalize_it:

runtime/netstrm.h

@@ -89,10 +89,11 @@ BEGINinterface(netstrm) /* name must also be changed in ENDinterface macro! */
 
 	/* v15 -- Tls cert functions */
 	rsRetVal (*SetDrvrTlsCAFile)(netstrm_t *pThis, const uchar* file);
+	rsRetVal (*SetDrvrTlsCRLFile)(netstrm_t *pThis, const uchar* file);
 	rsRetVal (*SetDrvrTlsKeyFile)(netstrm_t *pThis, const uchar* file);
 	rsRetVal (*SetDrvrTlsCertFile)(netstrm_t *pThis, const uchar* file);
 ENDinterface(netstrm)
-#define netstrmCURR_IF_VERSION 15 /* increment whenever you change the interface structure! */
+#define netstrmCURR_IF_VERSION 16 /* increment whenever you change the interface structure! */
 /* interface version 3 added GetRemAddr()
  * interface version 4 added EnableKeepAlive() -- rgerhards, 2009-06-02
  * interface version 5 changed return of CheckConnection from void to rsRetVal -- alorbach, 2012-09-06
@@ -101,6 +102,7 @@ ENDinterface(netstrm)
  * interface version 8 changed signature of Connect() -- dsa, 2016-11-14
  * interface version 9 added SetGnutlsPriorityString -- PascalWithopf, 2017-08-08
  * interface version 10 added oserr parameter to Rcv() -- rgerhards, 2017-09-04
+ * interface version 16 CRL file -- Oracle, 2022-01-16
  * */
 
 /* prototypes */

runtime/netstrms.c

@@ -116,6 +116,8 @@ CODESTARTobjDestruct(netstrms)
 	}
 	free((void*)pThis->pszDrvrCAFile);
 	pThis->pszDrvrCAFile = NULL;
+	free((void*)pThis->pszDrvrCRLFile);
+	pThis->pszDrvrCRLFile = NULL;
 	free((void*)pThis->pszDrvrKeyFile);
 	pThis->pszDrvrKeyFile = NULL;
 	free((void*)pThis->pszDrvrCertFile);
@@ -250,6 +252,18 @@ SetDrvrTlsCAFile(netstrms_t *pThis, const uchar *mode)
 	RETiRet;
 }
 
+static rsRetVal
+SetDrvrTlsCRLFile(netstrms_t *pThis, const uchar *mode)
+{
+	DEFiRet;
+	ISOBJ_TYPE_assert(pThis, netstrms);
+	if (mode != NULL) {
+		CHKmalloc(pThis->pszDrvrCRLFile = (uchar*) strdup((char*)mode));
+	}
+finalize_it:
+	RETiRet;
+}
+
 static rsRetVal
 SetDrvrTlsKeyFile(netstrms_t *pThis, const uchar *mode)
 {
@@ -394,6 +408,12 @@ GetDrvrTlsCAFile(netstrms_t *pThis)
 	return pThis->pszDrvrCAFile;
 }
 static const uchar *
+GetDrvrTlsCRLFile(netstrms_t *pThis)
+{
+	ISOBJ_TYPE_assert(pThis, netstrms);
+	return pThis->pszDrvrCRLFile;
+}
+static const uchar *
 GetDrvrTlsKeyFile(netstrms_t *pThis)
 {
 	ISOBJ_TYPE_assert(pThis, netstrms);
@@ -471,9 +491,11 @@ CODESTARTobjQueryInterface(netstrms)
 	pIf->SetDrvrTlsVerifyDepth = SetDrvrTlsVerifyDepth;
 	pIf->GetDrvrTlsVerifyDepth = GetDrvrTlsVerifyDepth;
 	pIf->GetDrvrTlsCAFile = GetDrvrTlsCAFile;
+	pIf->GetDrvrTlsCRLFile = GetDrvrTlsCRLFile;
 	pIf->GetDrvrTlsKeyFile = GetDrvrTlsKeyFile;
 	pIf->GetDrvrTlsCertFile = GetDrvrTlsCertFile;
 	pIf->SetDrvrTlsCAFile = SetDrvrTlsCAFile;
+	pIf->SetDrvrTlsCRLFile = SetDrvrTlsCRLFile;
 	pIf->SetDrvrTlsKeyFile = SetDrvrTlsKeyFile;
 	pIf->SetDrvrTlsCertFile = SetDrvrTlsCertFile;
 finalize_it:

runtime/netstrms.h

@@ -38,6 +38,7 @@ struct netstrms_s {
 	int DrvrVerifyDepth;		/**< Verify Depth for certificate chains */
 	uchar *pszDrvrPermitExpiredCerts;
 	const uchar *pszDrvrCAFile;
+	const uchar *pszDrvrCRLFile;
 	const uchar *pszDrvrKeyFile;
 	const uchar *pszDrvrCertFile;
 	uchar *gnutlsPriorityString; /**< priorityString for connection */
@@ -78,9 +79,11 @@ BEGINinterface(netstrms) /* name must also be changed in ENDinterface macro! */
 	const uchar* (*GetDrvrTlsKeyFile)(netstrms_t *pThis);
 	rsRetVal (*SetDrvrTlsCertFile)(netstrms_t *pThis, const uchar *);
 	const uchar* (*GetDrvrTlsCertFile)(netstrms_t *pThis);
-
+	/* v3 */
+	rsRetVal (*SetDrvrTlsCRLFile)(netstrms_t *pThis, const uchar *);
+	const uchar* (*GetDrvrTlsCRLFile)(netstrms_t *pThis);
 ENDinterface(netstrms)
-#define netstrmsCURR_IF_VERSION 2 /* increment whenever you change the interface structure! */
+#define netstrmsCURR_IF_VERSION 3 /* increment whenever you change the interface structure! */
 
 /* prototypes */
 PROTOTYPEObj(netstrms);

runtime/nsd.h

@@ -98,8 +98,10 @@ BEGINinterface(nsd) /* name must also be changed in ENDinterface macro! */
 	rsRetVal (*SetTlsKeyFile)(nsd_t *pThis, const uchar *);
 	rsRetVal (*SetTlsCertFile)(nsd_t *pThis, const uchar *);
 
+	/* v16 - Tls CRL */
+	rsRetVal (*SetTlsCRLFile)(nsd_t *pThis, const uchar *);
 ENDinterface(nsd)
-#define nsdCURR_IF_VERSION 15 /* increment whenever you change the interface structure! */
+#define nsdCURR_IF_VERSION 16 /* increment whenever you change the interface structure! */
 /* interface version 4 added GetRemAddr()
  * interface version 5 added EnableKeepAlive() -- rgerhards, 2009-06-02
  * interface version 6 changed return of CheckConnection from void to rsRetVal -- alorbach, 2012-09-06

runtime/nsd_gtls.c

@@ -55,10 +55,6 @@
 #include "unicode-helper.h"
 #include "rsconf.h"
 
-/* things to move to some better place/functionality - TODO */
-#define CRLFILE "crl.pem"
-
-
 #if GNUTLS_VERSION_NUMBER <= 0x020b00
 GCRY_THREAD_OPTION_PTHREAD_IMPL;
 #endif
@@ -707,7 +703,7 @@ static rsRetVal
 gtlsInitCred(nsd_gtls_t *const pThis )
 {
 	int gnuRet;
-	const uchar *cafile;
+	const uchar *cafile, *crlfile;
 	DEFiRet;
 
 	/* X509 stuff */
@@ -732,13 +728,35 @@ gtlsInitCred(nsd_gtls_t *const pThis )
 		} else if(gnuRet < 0) {
 			/* TODO; a more generic error-tracking function (this one based on CHKgnutls()) */
 			uchar *pErr = gtlsStrerror(gnuRet);
-			LogError(0, RS_RET_GNUTLS_ERR, "unexpected GnuTLS error %d in %s:%d: %s\n",
+			LogError(0, RS_RET_GNUTLS_ERR,
+				"unexpected GnuTLS error reading CA certificate file %d in %s:%d: %s\n",
 			gnuRet, __FILE__, __LINE__, pErr);
 			free(pErr);
 			ABORT_FINALIZE(RS_RET_GNUTLS_ERR);
 		}
 	}
 
+	crlfile = (pThis->pszCRLFile == NULL) ? glbl.GetDfltNetstrmDrvrCRLF(runConf) : pThis->pszCRLFile;
+	if(crlfile == NULL) {
+		dbgprintf("Certificate revocation list (CRL) file not set.");
+	} else {
+		dbgprintf("GTLS CRL file: '%s'\n", crlfile);
+		gnuRet = gnutls_certificate_set_x509_crl_file(pThis->xcred, (char*)crlfile, GNUTLS_X509_FMT_PEM);
+		if(gnuRet == GNUTLS_E_FILE_ERROR) {
+			LogError(0, RS_RET_GNUTLS_ERR,
+				"error reading Certificate revocation list (CRL) '%s' - a common cause is that the "
+				"file  does not exist", crlfile);
+			ABORT_FINALIZE(RS_RET_GNUTLS_ERR);
+		} else if(gnuRet < 0) {
+			/* TODO; a more generic error-tracking function (this one based on CHKgnutls()) */
+			uchar *pErr = gtlsStrerror(gnuRet);
+			LogError(0, RS_RET_GNUTLS_ERR,
+				"unexpected GnuTLS error reading Certificate revocation list (CRL) %d in %s:%d: %s\n",
+			gnuRet, __FILE__, __LINE__, pErr);
+			free(pErr);
+			ABORT_FINALIZE(RS_RET_GNUTLS_ERR);
+		}
+	}
 
 finalize_it:
 	RETiRet;
@@ -1230,6 +1248,7 @@ gtlsChkPeerCertValidity(nsd_gtls_t *pThis)
 		} else if(stateCert & GNUTLS_CERT_REVOKED) {
 			pszErrCause = "certificate revoked";
 			bAbort = RSTRUE;
+			iAbortCode = RS_RET_CERT_REVOKED;
 #ifdef EXTENDED_CERT_CHECK_AVAILABLE
 		} else if(stateCert & GNUTLS_CERT_PURPOSE_MISMATCH) {
 			pszErrCause = "key purpose OID does not match";
@@ -1394,6 +1413,7 @@ CODESTARTobjDestruct(nsd_gtls)
 	free(pThis->pszConnectHost);
 	free(pThis->pszRcvBuf);
 	free((void*) pThis->pszCAFile);
+	free((void*) pThis->pszCRLFile);
 
 	if(pThis->bOurCertIsInit)
 		for(unsigned i=0; i<pThis->nOurCerts; ++i) {
@@ -1637,6 +1657,23 @@ SetTlsCAFile(nsd_t *pNsd, const uchar *const caFile)
 	RETiRet;
 }
 
+static rsRetVal
+SetTlsCRLFile(nsd_t *pNsd, const uchar *const crlFile)
+{
+	DEFiRet;
+	nsd_gtls_t *const pThis = (nsd_gtls_t*) pNsd;
+
+	ISOBJ_TYPE_assert((pThis), nsd_gtls);
+	if(crlFile == NULL) {
+		pThis->pszCRLFile = NULL;
+	} else {
+		CHKmalloc(pThis->pszCRLFile = (const uchar*) strdup((const char*) crlFile));
+	}
+
+finalize_it:
+	RETiRet;
+}
+
 static rsRetVal
 SetTlsKeyFile(nsd_t *pNsd, const uchar *const pszFile)
 {
@@ -2332,6 +2369,7 @@ CODESTARTobjQueryInterface(nsd_gtls)
 	pIf->SetPrioritizeSAN = SetPrioritizeSAN;
 	pIf->SetTlsVerifyDepth = SetTlsVerifyDepth;
 	pIf->SetTlsCAFile = SetTlsCAFile;
+	pIf->SetTlsCRLFile = SetTlsCRLFile;
 	pIf->SetTlsKeyFile = SetTlsKeyFile;
 	pIf->SetTlsCertFile = SetTlsCertFile;
 finalize_it: