Brien Wheeler wrote:
>
> Folks,
>
> In using an older version of SSLeay in our product, we have
> run across the following situation which I believe to be a bug
> in parsing of CRL_INFO structures. Essentially, the 1997 X.509
> standard states that the optional version number in a CRL_INFO is
> present only if a critical extension is present and shall be absent
> if no critical extensions are present.
>
> The RSA Keon certificate server creates CRLs that have an
> Authority Key Identifier (always non-critical) extension in them,
> and no version number (following the standard's mandated handling).
> The version of SSLeay we're using (and OpenSSL 0.9.4) both fail
> to parse these correctly because they only parse extensions if
> the version number is present and greater than or equal to one.
>
This has already been fixed in the OpenSSL 0.9.5 development release.
RFC2459 however doesn't allow this kind of CRL:
> 5.1.2.1 Version
>
> This optional field describes the version of the encoded CRL. When
> extensions are used, as required by this profile, this field MUST be
> present and MUST specify version 2 (the integer value is 1).
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
