libverto event context for certauth plugin?

Benjamin Kaduk kaduk at
Mon Sep 28 21:16:13 EDT 2020

On Tue, Sep 22, 2020 at 09:05:57PM -0400, Ken Hornstein wrote:
> >FWIW I think that OpenSSL 3.0 will make it a bit easier, with the "read
> >stuff from disk" having been genericized/modularized and letting you "drop
> >in" alternative implementations via "provider" modules, but of course
> >OpenSSL 3.0 is not done yet...
> I'm not quite understanding how this would help; are you saying that
> you would suggest the "read stuff from disk" routines be abstracted
> to query servers via OCSP?  If so, I don't see how that helps things
> with lack of a libverto context in certauth, because if that OCSP
> query blocks your whole KDC blocks.
> If you're suggesting abstracting out the "read from disk" routines to
> read my internal database I use to store CRLs ... ugh.  Two things:

This one, yeah -- openssl would no longer want to slurp everything into
memory itself, but you still need some kind of local access in order to be
useful in the scenario where there's not a libverto context available.
It doesn't have to be your internal database format per se, but it sounds
like the options here will still have the most of drawbacks you are trying
to avoid.


> I really do not want to depend long-term on this database format,
> and my reading of the current code is that it really wants to slurp
> everything into memory and search it that way.  I am not sure changing
> out the "read from disk" code helps in that case.  It may very well be
> that they changed enough other things that you could substitute a function
> that does something smart with regards to CRL querying, but again,
> depending on an internal database format is NOT something I want to
> do long-term.
> This is all probably moot for now, since running a local OCSP server
> works perfectly fine today and that's the approach I'll take going forwards.
> --Ken

More information about the krbdev mailing list