Paul Keogh wrote:
>
> I have a problem decoding a CRL which is missing the VERSION field but which
> has extensions present.
>
> X.509 (11.2, note 3) says this is legal as long as none of the extensions
> are critical. However,
> the d2i_X509_CRL_INFO() function does'nt arbitrate on the extensions
> criticality,
> just the version, when deciding to handle the extensions.
>
> Skipping the extensions causes the ASN.1 decoder to go astray, and the
> function fails.
> Interestingly, RFC 2459 (certificate and CRL profile) agrees with the code.
>
> What to do ?
>
This is fixed in the latest snapshot. It now always tolerates extensions
for any version.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
