On Wed, Jul 20, 2016, Dr. Stephen Henson wrote: > On Wed, Jul 20, 2016, Dr. Stephen Henson wrote: > > > On Wed, Jul 20, 2016, Patel, Anirudh (Anirudh) wrote: > > > > > "X509_LOOKUP_hash_dir is a more advanced method, which loads certificates > > > and CRLs on demand, and caches them in memory once they are loaded. As of > > > OpenSSL 1.0.0, it also checks for newer CRLs upon each lookup, so that > > > newer > > > CRLs are as soon as they appear in the directory. When checking for new > > > CRLs > > > once one CRL for given hash value is loaded, hash_dir lookup method checks > > > only for certificates with sequence number greater than that of the > > > already > > > cached CRL" - This certainly not happens. It should have stated that only > > > unique file names will be loaded for once from the disk and the new ones > > > for > > > the same issuer will not be looked up even if you change the sequence > > > number. > > > > > > > They should be looked up: if they aren't this is a bug. > > > > The problem is that unless the current time exceeds the nextUpdate field of > > the new CRL it wont be used: it will use the first one where the current > > time > > is between lastUpdate and nextUpdate. > > > > When you added a new CRL was it just "newer" (i.e. thisUpdate later than the > > the new CRL wasn't used that's a bug which should be fixed. > > > > Argh... I mean "lastUpdate" not "lastUpdate". >
Oops.. ;-) Err... I'll try that again. I meant "lastUpdate" not "thisUpdate". Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
