libverto event context for certauth plugin?
kenh at cmf.nrl.navy.mil
Tue Sep 22 21:05:57 EDT 2020
>FWIW I think that OpenSSL 3.0 will make it a bit easier, with the "read
>stuff from disk" having been genericized/modularized and letting you "drop
>in" alternative implementations via "provider" modules, but of course
>OpenSSL 3.0 is not done yet...
I'm not quite understanding how this would help; are you saying that
you would suggest the "read stuff from disk" routines be abstracted
to query servers via OCSP? If so, I don't see how that helps things
with lack of a libverto context in certauth, because if that OCSP
query blocks your whole KDC blocks.
If you're suggesting abstracting out the "read from disk" routines to
read my internal database I use to store CRLs ... ugh. Two things:
I really do not want to depend long-term on this database format,
and my reading of the current code is that it really wants to slurp
everything into memory and search it that way. I am not sure changing
out the "read from disk" code helps in that case. It may very well be
that they changed enough other things that you could substitute a function
that does something smart with regards to CRL querying, but again,
depending on an internal database format is NOT something I want to
This is all probably moot for now, since running a local OCSP server
works perfectly fine today and that's the approach I'll take going forwards.
More information about the krbdev