On Tue Jul 19 08:47:11 2016, levitte wrote: > My answer was incorrect... > > What happens when trying to find a CRL is that get_cert_by_subject (in > crypto/x509/by_dir.c) gets called, and it will try to load every file > it finds > (so both $hash{sub_ca}.r0 and $hash{sub_ca}.r1). However, when trying > to > storing them in the internal store, it will only do so if no other > object with > the same hash is already there. Hence, $hash{sub_ca}.r1 will > essentially be > ignored. > > Either way, if both CRLs (with the same issuer name) were stored > internally, it > would still be a good question which one would actually be used. How > would that > be determined. >
If there are multiple CRLs with the appropriate scope then the first one where the current time falls between lastUpdate and nextUpdate is used. It is possible to dynamically update CRLs but currently only the time criteria is used. So if the first one fails the time test the next is used. This isn't ideal and something relying on the most recent or the highest CRL number would be preferable. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4615 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev