Expand description
CDP-driven CRL revocation support for mTLS. CDP-driven CRL revocation support for mTLS.
When mTLS is configured with CRL checks enabled, startup performs a bounded
bootstrap pass over the configured CA bundle, extracts CRL Distribution
Point (CDP) URLs, fetches reachable CRLs, and builds the initial inner
rustls verifier from that cache.
During handshakes, the outer verifier remains stable for the lifetime of the
TLS acceptor while its inner WebPkiClientVerifier is swapped atomically via
ArcSwap as CRLs are discovered or refreshed. Discovery from connecting
client certificates is fire-and-forget and never blocks the synchronous
handshake path.
Semantics:
crl_deny_on_unavailable = false=> fail open with warn logs.crl_deny_on_unavailable = true=> fail closed when a certificate advertises CDP URLs whose revocation status is not yet available.
Structs§
- Cached
Crl - Parsed CRL cached in memory and keyed by its source URL.
- CrlSet
- Shared CRL state backing the dynamic mTLS verifier.
- Dynamic
Client Cert Verifier - Stable outer verifier that delegates all TLS verification behavior to the atomically swappable inner verifier.
Functions§
- bootstrap_
fetch - Bootstrap the CRL cache by extracting CDP URLs from the CA chain and fetching any reachable CRLs with a 10-second total deadline.
- extract_
cdp_ urls - Extract CRL Distribution Point URLs from a DER-encoded certificate.
- parse_
crl_ metadata - Parse
thisUpdateandnextUpdatemetadata from a DER-encoded CRL. - rebuild_
verifier - Rebuild the inner rustls verifier from the current CRL cache.
- run_
crl_ refresher - Run the CRL refresher loop until shutdown.