Hi, since there is no IDP extention into CRLs, please how I can do to
check all the CRLs? I'm using apache + mod_ssl (and so openssl) to verify client authentication. Please could you help me telling how I can modify the call to "SSL_X509_STORE_lookup" to loop on all ".rN" sym link files and not stop to ".r0" ? thanks in advance, M.M. > Date: Tue, 15 Jun 2010 00:37:15 +0200 > From: st...@openssl.org > To: openssl-users@openssl.org > Subject: Re: openssl 1.0.0, multiple crls same issuer - revoked cert > > On Mon, Jun 14, 2010, matteo mattau wrote: > > > > > Hi,thanks for attention.The CRLs expires all at the same time, all the CRL > > has the same "nextupdate" date and time.So all the CRLs are valid when I use > > them to validate the certificate. The situation is the one described as > > "real world". The CA manager has decided togenerate several CRLs, all valid, > > all with the same nextupdate attribute, the download url is > > likehttp://ca.domain.com/CRLn, where n is from 1 to 100.Into the CRL I've > > not seen a critical issuer distribution point extention. Sorry, but I've > > not understood what is the right way to check if the certificate is revoked > > in this case...and how I can configureopenssl to support multiple CRLs of > > the same issuer. I have to useone file for each CRL, and N symbolic link, or > > one file with all the CRL concatenated,and only one symbolic link? thanks > > in advance,M.M. > > > > If there are no extensions to indicate that the CRL scope is limited (see > RFC3280 et al) then this is a non-standard implementation which OpenSSL cannot > handle by default nor would any other RFC3280 compliant validation process. > > If the URLs are http (not https) then this is rather problematical because an > attacker with a revoked certificate could intercept the transfer and replace > their CRL with one of different scope and it would look valid. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969