CRL Support in OpenWSMAN

Hi

The latest version of CURL has support for CRL (Certificate Revocation) but OpenWSMAN does not make use of this feature. So to add support in OpenWSMAN we will have to another CURLOPT for CRL. The issue with this option is that it has a dual purpose.

1.      It enables CRL Check

2.      Mandates providing a CRL file name

If we look at other CURL Options like CAINFO of CAKEY, they are enabled by default and if we do not provide file name it takes default values for them. But to enable CRL check itself we have to provide this CURL OPT with file name. So is it  ok to Provide CRL file name like crl.pem to enable CRL on OpenWSMAN – The only issue I can see is if someone changes  CRL file name from the one we have embedded in code, we have an issue ? Also if we want to pass it as parameter we have an issue; as for OpenWSMAN Client there is not configuration file like we have for Server –So how do we provide the file name?

Please provide inputs to get it done in a proper way.

Thanks,

Arun Venkatachalam

Dell R & D Centre,

Bangalore.

Extn - 78973

P Please consider the environment before printing this e-mail.

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Openwsman-devel mailing list
Openwsman-devel@...
https://lists.sourceforge.net/lists/listinfo/openwsman-devel

* A_Venkatachalam@... <A_Venkatachalam@...> [Aug 18. 2009 07:39]:
Use openwsman.conf for the server side and extend client_opt_t
(defined in wsman-client-api.h) for the client side.

Both can share the same default. The wsman-client-api needs a
wsmc_{s,g}et_crl() extension to manipulate the option.

Klaus
---
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Openwsman-devel mailing list
Openwsman-devel@...
https://lists.sourceforge.net/lists/listinfo/openwsman-devel

Hi

Based on the reply you gave, we will provide the needed get and set functions to handle this. But apart from this we need to provide a CRL file needs to be provided to CURL

A proposal to do this -
Make use of a config file in openwsman client wherein the crl bundle file can be mentioned in this config file. And we can introduce a new option in openwsman through which users can enable or disable the CRL check. The client library will then appropriately read the config file and set the CRL file using CURL setopt for CRL.
The advantage by doing this in openwsman client layer is that the individual applications need not worry about the CRL bundle. This will minimize the impact on the applications and localizing the change to openwsman. But this may warrant us to provide a separate config file for client. As CRLs are not specific to applications but specific to CAs, a single bundle can have CRLs from multiple CAs as explained in CURL doc (CURLOPT_CRLFILE).

Kindly provide your feedback on this proposal.

Arun Venkatachalam
Dell R & D Centre,
Bangalore.
Extn - 78973

 Please consider the environment before printing this e-mail.


-----Original Message-----
From: Klaus Kaempf [mailto:kkaempf@...]
Sent: Wednesday, August 26, 2009 5:10 PM
To: Venkatachalam, A
Cc: openwsman-devel@...
Subject: Re: CRL Support in OpenWSMAN

* A_Venkatachalam@... <A_Venkatachalam@...> [Aug 18. 2009 07:39]:
Use openwsman.conf for the server side and extend client_opt_t
(defined in wsman-client-api.h) for the client side.

Both can share the same default. The wsman-client-api needs a
wsmc_{s,g}et_crl() extension to manipulate the option.

Klaus
---
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Openwsman-devel mailing list
Openwsman-devel@...
https://lists.sourceforge.net/lists/listinfo/openwsman-devel

Based on the proposal mentioned below, Please accept the patch for having CRL support in OpenWSMAN.

Kindly review and apply the patch at your convenience.

Also a small correction -- Single CRL bundle cannot have CRLs from multiple CAs, it can have multiple CRLs from a single CA only.

Thanks,
Arun Venkatachalam
Dell R & D Centre,
Bangalore.
Extn - 78973

 Please consider the environment before printing this e-mail.



-----Original Message-----
From: A_Venkatachalam@... [mailto:A_Venkatachalam@...]
Sent: Wednesday, September 02, 2009 9:51 PM
To: kkaempf@...
Cc: openwsman-devel@...
Subject: Re: [Openwsman-devel] CRL Support in OpenWSMAN

Hi

Based on the reply you gave, we will provide the needed get and set functions to handle this. But apart from this we need to provide a CRL file needs to be provided to CURL

A proposal to do this -
Make use of a config file in openwsman client wherein the crl bundle file can be mentioned in this config file. And we can introduce a new option in openwsman through which users can enable or disable the CRL check. The client library will then appropriately read the config file and set the CRL file using CURL setopt for CRL.
The advantage by doing this in openwsman client layer is that the individual applications need not worry about the CRL bundle. This will minimize the impact on the applications and localizing the change to openwsman. But this may warrant us to provide a separate config file for client. As CRLs are not specific to applications but specific to CAs, a single bundle can have CRLs from multiple CAs as explained in CURL doc (CURLOPT_CRLFILE).

Kindly provide your feedback on this proposal.

Arun Venkatachalam
Dell R & D Centre,
Bangalore.
Extn - 78973

 Please consider the environment before printing this e-mail.


-----Original Message-----
From: Klaus Kaempf [mailto:kkaempf@...]
Sent: Wednesday, August 26, 2009 5:10 PM
To: Venkatachalam, A
Cc: openwsman-devel@...
Subject: Re: CRL Support in OpenWSMAN

* A_Venkatachalam@... <A_Venkatachalam@...> [Aug 18. 2009 07:39]: Use openwsman.conf for the server side and extend client_opt_t
(defined in wsman-client-api.h) for the client side.

Both can share the same default. The wsman-client-api needs a
wsmc_{s,g}et_crl() extension to manipulate the option.

Klaus
---
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Openwsman-devel mailing list
Openwsman-devel@...
https://lists.sourceforge.net/lists/listinfo/openwsman-devel





------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Openwsman-devel mailing list
Openwsman-devel@...
https://lists.sourceforge.net/lists/listinfo/openwsman-devel