Christophe Nanteuil
Tue, 03 Feb 2009 10:12:19 -0800
Hello, I am a stunnel user, which implements code from mod_ssl for certificate/CRL verifications. I noticed a strange behaviour when verifying a CRL which uses the ssl_callback_SSLVerify_CRL function of mod_ssl :
If the CRLfile is not a valid CRL, stunnel starts and ignores the CRLfile. Then, for any new connection, logs show "CRL: verification passed", which means that ssl_callback_SSLVerify_CRL returned TRUE. -> NOT OK, IMO. examples of wrong CRLs : a CRL issued by an unknown CA or a certificate in the PEM format. I propose the attached patch to modify behaviour of the ssl_callback_SSLVerify_CRL function, ie return false if no CRL corresponding to the issuer of each certificate of the chain is found. -- Christophe Nanteuil
--- ssl_engine_kernel.c.saved 2009-02-03 18:47:51.000000000 +0100
+++ ssl_engine_kernel.c 2009-02-03 18:55:12.000000000 +0100
@@ -1615,6 +1615,7 @@
char *cp;
char *cp2;
ASN1_TIME *t;
+ BOOL good_crl = FALSE;
/*
* Unless a revocation store for CRLs was created we
@@ -1724,6 +1725,7 @@
return FALSE;
}
X509_OBJECT_free_contents(&obj);
+ good_crl = TRUE;
}
/*
@@ -1764,8 +1766,9 @@
}
}
X509_OBJECT_free_contents(&obj);
+ good_crl = TRUE;
}
- return ok;
+ return (good_crl?ok:FALSE);
}
/*