On Thu, Jul 14, 2016 at 4:55 PM, The default queue via RT <r...@openssl.org> wrote:
> > Greetings, > > This message has been automatically generated in response to the > creation of a trouble ticket regarding: > "Cache utility behaving strange with X509_LOOKUP_add_dir", > a summary of which appears below. > > There is no need to reply to this message right now. Your ticket has been > assigned an ID of [openssl.org #4615]. > > Please include the string: > > [openssl.org #4615] > > in the subject line of all future correspondence about this issue. To do > so, > you may reply to this message. > > Thank you, > r...@openssl.org > > ------------------------------------------------------------------------- > Hi, > > I have a query related to how these APIs X509_STORE_add_lookup() > and X509_LOOKUP_add_dir() work. Let me give you a brief explanation of what > I am doing: > > Purpose was to add lookup for CRLs. > > First when my server starts and my SSL initializes I have successfully > created a store to which lookup has been added for CRL directory. > > - pLookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir()); > - X509_LOOKUP_add_dir(pLookup, mCRLPath.c_str(), X509_FILETYPE_PEM) > > Example CRL Directory: /var/cert/CRL/ > Scenario: > 1) When the system start no CRL files are present in the CRL Directory > 2) Client_1 initiates a connection to my server (using openssl s_client) > 3) Openssl does the lookup of CRLs for the corresponding (Sub) CAs and does > not find anything thus, giving error in the verify_callback > (UNABLE_TO_GET_CRL). In the application code I have handled these > errors gracefully Callback is again called for further validation and the > connection is accepted. > *Result: Satisfied* > > 1) Now, I place two CRLs (Sub CA,Root CA) in the CRL directory (server was > still up and I did not stopped it) > I have created a crl -hash (issuer hash) and linked them to CRL pem > certificates. > *$hash(rootca).r0 -> root_ca.pem* > *$hash(subca).r0 -> sub_ca.pem* > 2) Client_1 again initiates a connection to my server (using openssl > s_client) (client certificate chain is : ID/Sub CA/Root CA) > 3) Openssl does a lookup of CRLs and does not throw any error. Validation > happened with verify_callback getting invoked 3 times with preverify_ok = > 1. Client connection is accepted > *Result: Satisfied* > > 1) Now, I removed the above CRL files (Sub CA/Root CA) from the CRL > directory. Based on the manual page these CRLs should be now in the cached > memory of X509_OBJECT. > 2) I repeated steps (2) and (3). Connection gets accepted from the client. > Everything still works fine because openssl maintined CRL files in its > cache and found them during the lookup. > *Result: Satisfied* > > Now from here the problem starts: > ========================= > 1) My Sub_CA revoked Client_1 certificate (since Sub_CA was the issuing CA > in the first place) > 2) I recreated Sub_CA CRL and placed it in the CRL Directory. > 3) Created the hash and linked it as follows: > *$hash(sub_ca).r1* -> sub_ca.pem (hoping that openssl still has > $hash(sub_ca).r0 in its cache, since above we have seen that the lookup > worked even when I removed the CRL files from the CRL Directory) > 4) Client_1 initiates a connection to my server and gets accepted > successfully ==== Should Not Have Happened > Based on the manual page for *X509_LOOKUP_hash_dir > - https://www.openssl.org/docs/manmaster/crypto/X509_LOOKUP_file.html > <https://www.openssl.org/docs/manmaster/crypto/X509_LOOKUP_file.html>* > > > When checking for new CRLs once one CRL for given hash value is loaded, > > hash_dir lookup method checks only for certificates with sequence number > > greater than that of the already cached CRL. > > Since, the sequence number has changed from r0 to r1 for same issuer > (sub_ca in my case) openssl should have done a lookup and based on the > latest sequence number should have given me an error stating Client > Certificate has been revoked. > > Just to let you know, I have tested revoked certificates with the CRL and > it works fine. So no problem with that. > Openssl Version I am using is *OpenSSL 1.0.1e-fips 11 Feb 2013* > > Eagerly awaiting your response. Need to implement CRL functionality ASAP > and hoping to get all the help from you guys. > > Regards, > Anirudh > > > ------------------------------------------------------------------------- > http://rt.openssl.org/Ticket/Display.html?id=4615&user=guest&pass=guest > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4615 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
