support CRL with server/client encryption options #9630
Labels
Milestone
Comments
|
/cc @elcallio |
|
https://www.gnutls.org/manual/html_node/PKIX-certificate-revocation-lists.html Relatively easy to implement, though if it is gonna match everything else, it should have an auto-reload sibling, and a number of adapting versions similar to certs/keys. |
elcallio
pushed a commit
to elcallio/scylla
that referenced
this issue
Nov 17, 2021
…on options Fixes scylladb#9630 Adds support for importing a CRL certificate reovcation list. This will be monitored and reloaded like certs/keys. Allows blacklisting individual certs.
|
Turns out I had already written the code in seastar from the get-go. Only need to add scylla support in config. |
elcallio
pushed a commit
to elcallio/scylla
that referenced
this issue
Nov 17, 2021
…on options Fixes scylladb#9630 Adds support for importing a CRL certificate reovcation list. This will be monitored and reloaded like certs/keys. Allows blacklisting individual certs. v2: * Include option in template config in scylla.yaml * Change <empty> to <none>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Best I can tell scylla doesn't support a certificate revocation list for either server or client encryption options. Thus if a TLS client private key is leaked you would need to remove the signing CA from the trust store to decline connections from clients using that certificate. Ideally you would append the leaked clients certificate the CRL instead.
It would be a good enhancement to support providing a CRL file argument to the
client_encryption_optionsandserver_encryption_optionsconfiguration hashes, like:The text was updated successfully, but these errors were encountered: