In message <20160803.154155.2198714958292922881.levi...@openssl.org> on Wed, 03
Aug 2016 15:41:55 +0200 (CEST), Richard Levitte <levi...@openssl.org> said:
levitte> In message <20160803131344.gb2...@nikhef.nl> on Wed, 3 Aug 2016
15:13:44 +0200, Mischa Salle <msa...@nikhef.nl> said:
levitte>
levitte> msalle> By the way, even for RFC proxies I still have the problem that
setting
levitte> msalle> the flag X509_V_FLAG_CRL_CHECK (and X509_V_FLAG_CRL_CHECK_ALL)
to do CRL
levitte> msalle> checking results in a failure. I haven't looked yet what
causes it, but
levitte> msalle> that flag should be ignored for proxy certificates in my
opinion.
levitte> msalle> Perhaps I'm doing something wrong...?
levitte>
levitte> I believe you've found a bug! Thanks.
I'm attaching the fix I came up with. Please try it out and see if
things work better.
Cheers,
Richard
--
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
commit 2a228d15d9e662e2d66c8af64997dbd3f2b8df2e
Author: Richard Levitte <levi...@openssl.org>
Date: Wed Aug 3 16:02:20 2016 +0200
Don't check any revocation info on proxy certificates
Because proxy certificates typically come without any CRL information,
trying to check revocation on them will fail. Better not to try
checking such information for them at all.
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 099a4d8..2874574 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -844,6 +844,9 @@ static int check_cert(X509_STORE_CTX *ctx)
ctx->current_crl_score = 0;
ctx->current_reasons = 0;
+ if (x->ex_flags & EXFLAG_PROXY)
+ return 1;
+
while (ctx->current_reasons != CRLDP_ALL_REASONS) {
unsigned int last_reasons = ctx->current_reasons;
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
