I'm not sure about your solution. Have you tested it at all and verified that it works? According to my understanding of the source, X509_load_crl_file() will not load a certificate into the cache if there already exists another cert with the same subject in that same cache. In effect, your patch would tehrefore change nothing...
[[EMAIL PROTECTED] - Mon Jan 20 14:51:36 2003]: > I have several certificates with the same subject which are in two > different directories. When I put these two directories to > X509_LOOKUP_hash_dir and use this lookup during validation, the > certificate is found only if it is in the first directory in lookup. > > I've found the problem in OpenSSL 0.9.6g and also 0.9.7. > > I've looked into it and the cause is probably in > crypto/x509/by_dir.c, function get_cert_by_subject(). The outer loop > here goes through the directories assigned to lookup object. For each > directory all the certificates with given hash code are loaded. Next, > the certificate is looked up by subject and if found, the function > exits. In this case the other directories are not loaded. So later > when > the certificate found is not the one really requested and the loaded > cache is consulted, it is not filled as it should be and certificate > is > not found. > > I think the lookup by subject in get_cert_by_subject() should be > performed after the outer loop finishes (see attached patch). > > Regards > Martin -- Richard Levitte ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
