I've been trying to find available options for configuring CRL checking within RabbitMQ. RabbitMQ in turn seems to rely on Erlang's SSL library. Unfortunately, knowing very little about Erlang, so it has been difficult for me to understand:
- The exact syntax of an HTTP timeout-based CRL approach (and if this is automagically pulled from the cert's CRL info)
- If a local-file based CRL approach is available out of the box
Examples of the crl_cache configuration option have been hard to find. Does anyone have further information on this?
Best Answer
Starting with the configuration example from the RabbitMQ TLS support page, add the
crl_check
andcrl_cache
options like this:Setting
crl_check
totrue
means that CRLs will be checked for the entire certificate chain, and if any CRL is missing validation will fail. You could set it topeer
orbest_effort
instead; see the Erlangssl
module documentation for details.In the sample above, I activated downloading of CRLs by HTTP, with a timeout of 5 seconds (5000 milliseconds). The URL is taken from the
cRLDistributionPoints
extension in the certificate.There is currently no local-file based CRL approach available out of the box, but I have submitted a pull request that lets you get CRLs from a local directory the same way Apache does it.