Merge pull request #21 from internetee/disable-crl-check-with-a-feature-flag

When no CRL file is defined, CRL check should be disabled completely

README.md

@@ -117,7 +117,7 @@ of Erlang property list.
 | `cacertfile_path`    | `/opt/ca/ca.crt.pem`               | SSLCACertificateFile  | Where is the client root CA located. Can be inside apps/epp_proxy/priv or absolute path.
 | `certfile_path`      | `/opt/ca/server.crt.pem`           | SSLCertificateFile    | Where is the server certificate located. Can be inside apps/epp_proxy/priv or absolute path.
 | `keyfile_path`       | `/opt/ca/server.key.pem`           | SSLCertificateKeyFile | Where is the server key located. Can be inside apps/epp_proxy/priv or absolute path.
-| `crlfile_path`       | `/opt/ca/crl.pem`                  | SSLCARevocationFile   | Where is the CRL file located. Can be inside apps/epp_proxy/priv or absolute path.
+| `crlfile_path`       | `/opt/ca/crl.pem`                  | SSLCARevocationFile   | Where is the CRL file located. Can be inside apps/epp_proxy/priv or absolute path. When not set, not CRL check is performed.
 
 
 Migrating from mod_epp

apps/epp_proxy/src/epp_tls_acceptor.erl

@@ -21,13 +21,12 @@ start_link(Port) ->
 			  []).
 
 init(Port) ->
-    Options = [binary, {packet, raw}, {active, false},
+    DefaultOptions = [binary, {packet, raw},
-	       {reuseaddr, true}, {verify, verify_peer}, {depth, 1},
+		      {active, false}, {reuseaddr, true},
+		      {verify, verify_peer}, {depth, 1},
 		      {cacertfile, ca_cert_file()}, {certfile, cert_file()},
-	       {keyfile, key_file()}, {crl_check, peer},
+		      {keyfile, key_file()}],
-	       {crl_cache,
+    Options = handle_crl_check_options(DefaultOptions),
-		{ssl_crl_cache, {internal, [{http, 5000}]}}}],
-    ssl_crl_cache:insert({file, crl_file()}),
     {ok, ListenSocket} = ssl:listen(Port, Options),
     gen_server:cast(self(), accept),
     {ok,
@@ -88,3 +87,16 @@ crl_file() ->
       undefined -> undefined;
       {ok, CrlFile} -> epp_util:path_for_file(CrlFile)
     end.
+
+%% In some environments, we do not perform a CRL check. Therefore, we need
+%% different options proplist.
+handle_crl_check_options(Options) ->
+    case application:get_env(epp_proxy, crlfile_path) of
+      undefined -> Options;
+      {ok, _CrlFile} ->
+	  ssl_crl_cache:insert({file, crl_file()}),
+	  NewOptions = [{crl_check, peer},
+			{crl_cache, {ssl_crl_cache, {internal, [{http, 5000}]}}}
+			| Options],
+	  NewOptions
+    end.

config/docker.config

@@ -10,7 +10,8 @@
                {cacertfile_path, "/opt/ca/certs/ca.crt.pem"},
                {certfile_path, "/opt/ca/certs/apache.crt"},
                {keyfile_path, "/opt/ca/private/apache.key"},
-               {crlfile_path, "/opt/ca/crl/crl.pem"}]},
+               {crlfile_path, "/opt/ca/crl/crl.pem"}
+	       ]},
   {lager, [
     {handlers, [
                {lager_console_backend, [{level, debug}]}

config/sys.config

@@ -24,7 +24,7 @@
                %% Path to server's key file.
                {keyfile_path, "/opt/shared/ca/certs/key.pem"},
 
-               %% Path to CRL file.
+               %% Path to CRL file. When this option is undefined, no CRL check is performed.
                {crlfile_path, "/opt/shared/ca/certs/key.pem"}]},
   {lager, [
     {handlers, [