CRL Check

Since EMQX 5.0.22, CRL(Certification Revocation List) Check is supported for MQTT SSL listeners. Note that those do not include Secure WebSocket nor QUIC listeners: only listeners of type ssl support this feature.

With this feature enabled, EMQX will attempt to verify if connecting client certificates are not revoked according to the CRL Distribution Point described in the client’s certificate, and deny connection to revoked client certificates during the SSL/TLS handshake phase of the connection. Note that the CRL itself must contain the “Issuing Distribution Point” extensionCRL Check - 图1 (opens new window) in order for the revocation check to be enforced.

In order to enable this feature, we need to both enable the corresponding option in the listener and also set the verify option of the listener to verify_peer, so that the client must be checked against the CRL.

Example configuration to enable CRL Check:

  1. listeners.ssl.default {
  2.   bind = "0.0.0.0:8883"
  3.   ssl_options {
  4.     keyfile = "/etc/emqx/certs/server.key"
  5.     certfile = "/etc/emqx/certs/server.pem"
  6.     cacertfile = "/etc/emqx/certs/ca.pem"
  7.     verify = verify_peer
  8.     enable_crl_check = true
  9.   }
  10. }