Re: CRL checking failing in 1.0.1

Thu, 09 Jan 2014 14:29:25 -0800 

On Thu, Jan 09, 2014, Jakob Bohm wrote:

> On 1/9/2014 8:14 PM, Dr. Stephen Henson wrote:
> >On Thu, Jan 09, 2014, Bin Lu wrote:
> >
> >>  Here is the problem, in cert_crl():
> >>
> >>        /* The rules changed for this... previously if a CRL contained
> >>          * unhandled critical extensions it could still be used to indicate
> >>          * a certificate was revoked. This has since been changed since
> >>          * critical extension can change the meaning of CRL entries.
> >>          */
> >>         if (crl->flags & EXFLAG_CRITICAL)
> >>                 {
> >>                 if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
> >>                         return 1;
> >>                 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
> >>                 ok = ctx->verify_cb(0, ctx);
> >>                 if(!ok)
> >>                         return 0;
> >>                 }
> >>
> >>Why are we making this change, skipping the critical CRL extensions? This 
> >>is causing all the regressions. In this case, should we expect 
> >>X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION instead of the validation 
> >>result based on the CRL content? Basically we fail the validation once we 
> >>encounter a critical CRL extension, if flag IGNORE_CRITICAL is not set, or 
> >>succeed if the flag is set, regardless whatsoever in the CRL ???
> >>
> >
> >This is now a requirement of RFC5280 5.2:
> >
> >    If a CRL contains a critical extension
> >    that the application cannot process, then the application MUST NOT
> >    use that CRL to determine the status of certificates.
> >
> 
> That seems a strange reading of the RFC.  If a flag to IGNORE this rule
> is passed to OpenSSL, that should certainly ignore the rule, not the CRL.
> 
> 

Ugh, yes you're right that is a bug. It should carry on and use the CRL if
X509_V_FLAG_IGNORE_CRITICAL is set.

Workaround for now is to override
X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION in the callback.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to