This was mentioned briefly in another thread by myself. I thought it deserved its own discussion. The copies of how it went on are pasted below.
Section 6.3.3. of RFC 5280 - CRL Processing "This algorithm begins by assuming that the certificate is not revoked.... For each distribution point (DP) in the certificate's CRL distribution points extension, for each corresponding CRL ...." So my expectation is that after I instruct OpenSSL to perform CRL checking -- whether I set or not set any CRLs -- no checking must be done on any certificates which don't have CRLDP in them. The spec ofcourse mentions that implementations are not required to follow this algorithm, however, it also mentions that the end result must be the same as when they did. Now as an average user of OpenSSL API, I expect not to have to write any piece of code (such as over-ruling the validation failure in validation callback) for the normal process of certificate/CRL validation to take its course. Is this a reasonable expectation? thanks Jeff ********* Original Problem Statement ************ Re: Need Help with Programmatic Downloading+Checking of CRLs ... > So as per previous posts, I implemented lookup_crl(). > Now one of the major problems is what do I return from this method, if > the certificate has no CRL distribution points! > Returning an empty stack causes get_crl_delta() to fail. > Is there a flag that I can setup to let this cert be excluded from CRL > checking? > Is that something I should be doing in lookup_crl? Or should the > framework be smart enough not to even ask me for a CRL in this case? > > thanks > jeff > There are other "out of band" mechanisms where a CRL might be available but > not mentioned in a CRLDP. OpenSSL has no way of telling what those might be > and if the absence is really an error or not. > > The best you can do is trap the issuer error in the verify callback and ignore > it if appropriate. > > Steve. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
