1. 15 Feb, 2021 2 commits
    • Vincent Pelletier's avatar
      ca: Make getCACertificate return the *oldest* still-valid CA cert. · 0b871b56
      Vincent Pelletier authored
      This fixes late-trust-bootstrap clients' ability to trust certificates
      issued by an older CA.
      0b871b56
    • Vincent Pelletier's avatar
      caucase: Fix CRL support. · 3aefb18a
      Vincent Pelletier authored
      Emit Certificate Revocation Lists signed by all valid CAs.
      Apparently openssl (or at least how it is used in stunnel4) fails to
      validate a certificate when CRL validation is enabled and the key which
      signed the CRL differs from the key which signed the certificate.
      Also, add Authority Key Identifier CRL extension, required to be standard-
      compliant.
      Also, fix revocation entry expiration: the RFC requires them to be kept
      at least one renewal cycle after the certificate's expiration.
      As a consequence of this whole change:
      - the protocol for retrieving the curren CRL changes to return the
        concatenated list of CRLs, which breaks the CRL distribution (...but
        the distributed CRLs were invalid anyway)
      - stop storing the CRL PEM in caucased's database so that it gets
        re-generated with fresh code. As caucased is not expected to be
        restarted very often, the extra CRL generation on every start should
        not make a difference.
      3aefb18a
  2. 12 Feb, 2021 9 commits
  3. 03 Feb, 2021 5 commits
  4. 02 Feb, 2021 10 commits
  5. 01 Feb, 2021 4 commits
  6. 29 Jan, 2021 2 commits
  7. 25 Nov, 2020 6 commits
  8. 29 Jun, 2020 1 commit
  9. 27 Jun, 2020 1 commit