Hi, all
I have tested CRL verification for master of haproxy git repository
under such conditions:
* two CAs(CA1&CA2) used to do verification
* CRL file specified, but contains CRL only issued by CA1
When I send request with certificate issued by CA2, the verification
will fail with the reason of 'Unknown CA', certificates issued by CA1
will be verified successfully. Then I append CRL issued by CA2 into CRL
file. There are two CRLs in CRL file now. Client certificates issued by
CA1 or CA2 can be verified OK.
It means that if more than one CA used and CRL verification is enabled,
each CRL issued by each CA should be put into one single file, otherwise
client certificates issued by the CA which does not supply CRL may fail
to be verified.
Since haproxy called SSL library to do CRL verification with the
following code:
X509_STORE_set_flags(store,
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
I guess that it may be the behavior of SSL library but found nothing
related with this problem.
Any help will be much appreciated.
Best Regards,
Godbach
