Per Mützell wrote: > > We have problems with CRL verification in Openssl 0.9.6 . > The problem is identified as related to a bug in the current ASN1-module. > ( See attached message from openssl-dev list. ) > The CA that we use genererates CRLs that adds OPTIONAL, SEQUENCE OF and/or > SET OF items. > These items CAN NOT be handled by 0.9.6 today. > > As I've heard, this will be fixed in 0.9.7 (a rewritten ASN1-module). > Is that correct ? Will there be a fix in 0.9.6 earlier ( or in a current > SNAP) ? > I would also like to know when we can expect 0.9.7 to be released. > I've applied a fix to some aspects of this which may help, please try the openssl-stable snapshot, which will become OpenSSL 0.9.6a. If the revoked field is empty (as opposed to absent) then it will still have problems but if the extensions SEQUENCE OFs are empty (which is technically illegal) then it will deal with that. OpenSSL 0.9.7 wont have any problems due to the rewritten ASN1 code but its release is some way off. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
