After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 636573 - TLS CRL support
TLS CRL support
Status: RESOLVED OBSOLETE
Product: glib
Classification: Platform
Component: network
unspecified
Other Linux
: Normal normal
: ---
Assigned To: gtkdev
gtkdev
: 728141 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2010-12-06 09:20 UTC by Dan Winship
Modified: 2018-05-29 06:50 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Dan Winship 2010-12-06 09:20:48 UTC
We need to support CRLs (certificate revocation lists) in some way.

If there is a standard location for storing CRLs on some distros, we should pick up CRLs there automatically. Likewise, if the GTlsCertificateDB (bug 636572) supports storing CRLs, we should pick those up automatically.

It is not clear that there needs to be an API for adding CRLs; adding CRLs is something that a sysadmin would do (eg, by adding a .crl file to a directory), not that an application user would do.
Comment 1 Federico Mena Quintero 2015-12-22 20:33:34 UTC
Bug #728141 has more details on revocation.
Comment 2 Michael Catanzaro 2015-12-22 20:55:55 UTC
*** Bug 728141 has been marked as a duplicate of this bug. ***
Comment 3 Michael Catanzaro 2017-01-20 22:11:59 UTC
Here are some things I've said about certificate revocation previously. From bug #728141:

"Anyone implementing this should research Chrome's CRLSet method of revocation checking. Please, do not implement standard CRL or OCSP. There is no shortage of articles on the Internet about why these both suck, but the link above is a place to start."

The link above is http://arstechnica.com/security/2014/04/how-heartbleed-transformed-https-security-into-the-stuff-of-absurdist-theater/

From https://wiki.gnome.org/Apps/Web/Roadmap/Security I wrote:

"""We don't currently check for revoked certificates. The problem with certificate revocation is that standard methods for revocation checking are arguably worse than performing no revocation checking at all. CRL causes the browser to take an eternity to download a potentially 40 MB CRL before loading a web page: that's not acceptable. No browser hard enforces OCSP responder failure and there's little value in OCSP unless we do. Plus, OCSP is a big privacy violation, which dramatically outweighs the benefits of using it if it's not hard enforced. OCSP stapling exists, but it's not useful unless we enforce OCSP.

We should ship -- guess what -- a preload list of revoked certificates! It should be checked by glib-networking; this shouldn't need any work anywhere else. Guess what: it should be in a separate package, so it can be updated separately from glib-networking. Note that a revoked cert *anywhere* in the chain must invalidate the entire chain.

Update: Look into using OneCRL for intermediate certificate revocation. We might have to give up on checking for revocation of individual certificates, though, since every option sucks."""

I haven't looked into this in a while and don't know the right thing to do.
Comment 4 Michael Catanzaro 2017-01-20 22:15:24 UTC
*** Bug 777524 has been marked as a duplicate of this bug. ***
Comment 5 GNOME Infrastructure Team 2018-05-24 12:55:24 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to GNOME's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/glib/issues/380.
Comment 6 Michael Catanzaro 2018-05-25 16:36:02 UTC
Reopening. This bug was migrated to https://gitlab.gnome.org/GNOME/glib, but it should have been migrated to https://gitlab.gnome.org/GNOME/glib-networking.
Comment 7 Christoph Reiter (lazka) 2018-05-29 06:50:19 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to GNOME's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/glib-networking/issues/32.