Hello, In versions of openssl up to at least 0.9.8g there was a problem with loading mutliple CRLs for the same issuer. This situation affects long-running servers that use openssl and need to install updated CRLs without restarting the server or destroying the SSL context.
previously, X509_STORE_add_crl() would decline to add the second (ie more recent) and subsequent CRLs to the X509 store with an X509_R_CERT_ALREADY_IN_HASH_TABLE error. In openssl-SNAP-20080206.tar.gz this situation is improved since multiple CRLS from the same issuer can be loaded (it seems to check the SHA has of the CRL as well as the issuer name). However, even when multiple CRLs are loaded into the X509 store, when verifying a certificate, openssl does not look at the most recent CRL. In crypto/x509/x509_vfy.c, get_crl_sk() appears to try to find the 'best' crl to use for an issuer, but it will actually use the _first_ one it finds in the CRL stack that has valid dates other things being equal). If there is a later (ie more recent) CRL for the same issuer lower in the stack (ie loaded later), then it will not be used. I think get_crl_sk() needs to work harder to find the latest CRL for an issuer. Cheers. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
