> Hi, all
>
> I have tested CRL verification for master of haproxy git repository
> under such conditions:
> * two CAs(CA1&CA2) used to do verification
> * CRL file specified, but contains CRL only issued by CA1
>
> When I send request with certificate issued by CA2, the verification
> will fail with the reason of 'Unknown CA', certificates issued by CA1
> will be verified successfully. Then I append CRL issued by CA2 into CRL
> file. There are two CRLs in CRL file now. Client certificates issued by
> CA1 or CA2 can be verified OK.
>
> It means that if more than one CA used and CRL verification is enabled,
> each CRL issued by each CA should be put into one single file, otherwise
> client certificates issued by the CA which does not supply CRL may fail
> to be verified.
>
> Since haproxy called SSL library to do CRL verification with the
> following code:
> X509_STORE_set_flags(store,
> X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
> I guess that it may be the behavior of SSL library but found nothing
> related with this problem.
>
> Any help will be much appreciated.
>
> Best Regards,
> Godbach
>
The main configuration for frontend as below:
frontend fe
bind <ip>:443 ssl crt 1.cer verify required ca-file ca-root-both.cer
crl-file ca-root-crl-both.cer
There are two CAs in file ca-root-both.cer in PEM format, and two CRLs
in ca-root-crl-both.cer in PEM format.
If only one CRL issued by one of two CAs in crl-file. The cert issued
by the other CA will be failed to verify.
Anyone who had this problem?
Best Regards,
Godbach
