On Thu Jul 11 23:50:49 2013, f...@open.ch wrote: > > Following bug occurred with s_client under > * OpenSSL 1.0.1c 10 May 2012 > * OpenSSL 1.0.1e 11 Feb 2013. > > However, not triggered with s_client under > * OpenSSL 0.9.8x 10 May 2012. > > API calls tested and failed under > * OpenSSL 1.0.1c 10 May 2012. > > By connecting with s_client to https://www.wordpress.com for instance, > and performing CRL checks, s_client gets stucked when comparing the > server certificate to the corresponding CRL: >
I downloaded the corresponding server CRL from www.wordpress.com and don't get that issue. I can however reproduce it when I use one of your supplied CRLs with that site and checking through the CRL shows that its scope doesn't match the server. I've not had a chance to try the other sites yet. The s_client utility is somewhat artificial in that it tries to continue after any and all verification errors: if a real application did that it would have zero security. If you include the option -verify_return_error to s_client only the first verification error is noted and you shouldn't get the loop any more. Obviously the loop shouldn't happen: I'll look into fixing that. Steve, -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org