Hi,

since there is no IDP extention into CRLs, please how I can do to

check all the CRLs?

I'm using apache + mod_ssl (and so openssl) to verify client authentication.

Please could you help me telling how I can modify 

the call to  "SSL_X509_STORE_lookup" to loop on all ".rN"

sym link files and not stop to ".r0" ?

 

thanks in advance,

M.M.
 
> Date: Tue, 15 Jun 2010 00:37:15 +0200
> From: st...@openssl.org
> To: openssl-users@openssl.org
> Subject: Re: openssl 1.0.0, multiple crls same issuer - revoked cert
> 
> On Mon, Jun 14, 2010, matteo mattau wrote:
> 
> > 
> > Hi,thanks for attention.The CRLs expires all at the same time, all the CRL
> > has the same "nextupdate" date and time.So all the CRLs are valid when I use
> > them to validate the certificate. The situation is the one described as
> > "real world". The CA manager has decided togenerate several CRLs, all valid,
> > all with the same nextupdate attribute, the download url is
> > likehttp://ca.domain.com/CRLn, where n is from 1 to 100.Into the CRL I've
> > not seen a critical issuer distribution point extention. Sorry, but I've
> > not understood what is the right way to check if the certificate is revoked
> > in this case...and how I can configureopenssl to support multiple CRLs of
> > the same issuer. I have to useone file for each CRL, and N symbolic link, or
> > one file with all the CRL concatenated,and only one symbolic link? thanks
> > in advance,M.M. 
> > 
> 
> If there are no extensions to indicate that the CRL scope is limited (see
> RFC3280 et al) then this is a non-standard implementation which OpenSSL cannot
> handle by default nor would any other RFC3280 compliant validation process.
> 
> If the URLs are http (not https) then this is rather problematical because an
> attacker with a revoked certificate could intercept the transfer and replace
> their CRL with one of different scope and it would look valid.
> 
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
                                          
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969

Reply via email to