SSL Context should support loading a CRL. See M2Crypto patches:
https://bugzilla.osafoundation.org/show_bug.cgi?id=12954
https://bugzilla.osafoundation.org/show_bug.cgi?id=11694

Or PyOpenSSL branch supporting CRL:
https://launchpad.net/~rick-fdd/pyopenssl/crl_and_revoked

Is it enough to just load a CRL file, or is other functionality usually needed?

The following APIs should help us do it:
- X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx);
- int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x);
- X509_CRL *d2i_X509_CRL_fp(FILE *fp,X509_CRL **crl);

And also for configuration (enable CRL checking on the context):
- X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx);
- int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags);

Yes, you are right. OpenSSL uses the same API to load certs and CRLs. CRL checks must be enabled, though.

The patch implements SSLContext.verify_flags in order to enable CRL checks. It comes with documentation, a unit test and a new CRL file.

My patch is inspired by mod_ssl:

http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?view=markup#l697

CRLs can already be loaded with SSLContext.load_verify_locations(). The patch exposes the verification flags of SSLContext's X509_STORE. With X509_V_FLAG_CRL_CHECK OpenSSL requires (!) a CRL that matches the issuer of leaf certificate of the chain (the peer's cert). X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL also requires CRLs for all intermediate certs of the peer's cert chain.

The new patch addresses your review. I have altered the new to FLAGS_NONE, FLAGS_CLR_CHECK_LEAF etc.

That sounds too generic. How about VERIFY_CRL_NONE, etc.

It *is* generic. The flags are not about CRL alone, http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html#VERIFICATION_FLAGS

> It *is* generic. The flags are not about CRL alone,

That's why I proposed VERIFY_xxx, e.g. VERIFY_CRL_NONE.

Calling some flags "FLAGS" is senseless, it's like calling an integer
"INTEGER".

s/FLAGS_/VERIFY_/g ? OK, I don't have hard feelings. :)

> s/FLAGS_/VERIFY_/g ? OK, I don't have hard feelings. :)

And VERIFY_NONE should be VERIFY_CRL_NONE IMO.

But it's not about CRL alone. How about VERIFY_DEFAULT = 0 ?

> But it's not about CRL alone. How about VERIFY_DEFAULT = 0 ?

Sounds good.

New changeset 83805c9d1f05 by Christian Heimes in branch 'default':
Issue #8813: Add SSLContext.verify_flags to change the verification flags
http://hg.python.org/cpython/rev/83805c9d1f05

memo to me: add whatsnew entry

This change seems to have broken the OS X 10.4 Tiger buildbot:

_ssl.c:2240: error: 'struct x509_store_st' has no member named 'param'
_ssl.c:2253: error: 'struct x509_store_st' has no member named 'param'
_ssl.c:2257: error: 'struct x509_store_st' has no member named 'param'
_ssl.c:2263: error: 'struct x509_store_st' has no member named 'param'

http://buildbot.python.org/all/builders/x86%20Tiger%203.x/builds/7370

:(

I seriously need access to a Darwin or OSX box. This is the second time I broke the build on OSX.

Ned Deily <report@bugs.python.org> schrieb:
>
>Ned Deily added the comment:
>
>This change seems to have broken the OS X 10.4 Tiger buildbot:
>
>_ssl.c:2240: error: 'struct x509_store_st' has no member named 'param'
>_ssl.c:2253: error: 'struct x509_store_st' has no member named 'param'
>_ssl.c:2257: error: 'struct x509_store_st' has no member named 'param'
>_ssl.c:2263: error: 'struct x509_store_st' has no member named 'param'
>
>http://buildbot.python.org/all/builders/x86%20Tiger%203.x/builds/7370
>
>----------
>nosy: +ned.deily
>resolution: fixed -> 
>status: pending -> open
>
>_______________________________________
>Python tracker <report@bugs.python.org>
><http://bugs.python.org/issue8813>
>_______________________________________

10.4 is *very* old:

$ /usr/bin/openssl version
OpenSSL 0.9.7l 28 Sep 2006

If you kept around that version of the headers and libs, you'd probably catch most of the problems.

This problem also breaks the 32-bit OS X installer build.

New changeset 40d4be2b7258 by Christian Heimes in branch 'default':
Issue #8813: X509_VERIFY_PARAM is only available on OpenSSL 0.9.8+
http://hg.python.org/cpython/rev/40d4be2b7258

The _ssl module compiles again with OpenSSL 0.9.7.

New changeset 1508c4c9e747 by R David Murray in branch 'default':
whatsnew: SSLContext.verify_flags and constants. (#8813)
http://hg.python.org/cpython/rev/1508c4c9e747

What is the status of this issue? Is it fixed or not?

The What's New in Python 3.4 document says that Python 3.4 can load CRL.

Yes, Python 3.4 can load and use CRLs.

> Yes, Python 3.4 can load and use CRLs.

Great work Christian, I was expecting this feature since many years :-)

It was *really* trivial. I just had to expose two simple OpenSSL APIs to enable / disable CRL. All versions of Python could already load the CRLs but CRL checks could not be enabled.

> It was *really* trivial. I just had to expose two simple OpenSSL APIs to enable / disable CRL.

It was trivial thanks to all the work done before around SSLContext. For example, Python 2.7 doesn't have SSLContext, so adding support for CRL in Python 2.7 is non-trivial :-/