Description:
MySQL supports certificate revocation lists in 5.6, but doesn't support the CRL Distribution Points as encoded in certificates with X509 Extensions.

How to repeat:
Create a server, client and CA certificate with different serial numbers for each (CRL is basically a list of revoked serials) and set Certificate Distribution Points (CDPs) in the certifictes.
I used a branch of mysslgen for this:
https://github.com/dveeden/mysslgen/tree/cdp

Generate a CRL:
certtool --generate-crl --load-ca-privkey=CAkey.pem --load-ca-certificate=CAcert.pem --outfile my.crl

Make this available on a webserer:
sudo python -m SimpleHTTPServer 80

Notice that there are no requests for the CRL.

To check if there is a CDP:
openssl x509 -in ssl/server-cert.pem -noout -text
...
        X509v3 extensions:
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://127.0.0.1/my.crl
...

Suggested fix:
Add CDP support for the server and optionally for the client.

CRL's for browsers/internet is not really working (they became quite big after Heartbleed and are not checked often by browsers). But CRL's for an internal CA might work fine, but distributing the CRL is hard. A CDP would help here.

Another solution to revoke certificates is OCSP, but setting up an OCSP responder is complicated. This is one of the only solutions which could work with MySQL when using public CA's. I don't think MySQL supports OCSP yet.

There is yet another solution: CRLsets, but that's browser only and proprietary. 

So the options now are:
- Distibuting a CRL for all servers and clients (although Workbench can't use a CRL)
- Replacing the CA and all certificates when one or more certificates must be revoked
- Using short lived certificates and then not revoking them but just let them expire. But without some fully automatic certificate rollover this is quite a lot of work

Add more tags

change the title

Hello Daniël,

Thank you for the feature request!

Thanks,
Umesh