On Thu, Jan 09, 2014, Jakob Bohm wrote: > On 1/9/2014 8:14 PM, Dr. Stephen Henson wrote: > >On Thu, Jan 09, 2014, Bin Lu wrote: > > > >> Here is the problem, in cert_crl(): > >> > >> /* The rules changed for this... previously if a CRL contained > >> * unhandled critical extensions it could still be used to indicate > >> * a certificate was revoked. This has since been changed since > >> * critical extension can change the meaning of CRL entries. > >> */ > >> if (crl->flags & EXFLAG_CRITICAL) > >> { > >> if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) > >> return 1; > >> ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; > >> ok = ctx->verify_cb(0, ctx); > >> if(!ok) > >> return 0; > >> } > >> > >>Why are we making this change, skipping the critical CRL extensions? This > >>is causing all the regressions. In this case, should we expect > >>X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION instead of the validation > >>result based on the CRL content? Basically we fail the validation once we > >>encounter a critical CRL extension, if flag IGNORE_CRITICAL is not set, or > >>succeed if the flag is set, regardless whatsoever in the CRL ??? > >> > > > >This is now a requirement of RFC5280 5.2: > > > > If a CRL contains a critical extension > > that the application cannot process, then the application MUST NOT > > use that CRL to determine the status of certificates. > > > > That seems a strange reading of the RFC. If a flag to IGNORE this rule > is passed to OpenSSL, that should certainly ignore the rule, not the CRL. > >
Ugh, yes you're right that is a bug. It should carry on and use the CRL if X509_V_FLAG_IGNORE_CRITICAL is set. Workaround for now is to override X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION in the callback. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org