[openssl.org #3090] Infinite loop in openssl s_client when verify error Different CRL scope occurs
Reported bug fixed. Ticket resolved. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3090] Infinite loop in openssl s_client when verify error Different CRL scope occurs
Dear Steve, Thank you for the fix, it avoids looping with the s_client app, as well as with the api call. I still have a question regarding CRL scopes I would like to address to you. The X509_V_ERR_DIFFERENT_CRL_SCOPE happened because I downloaded a CRL from a CRL Distribution Point (CRLDP) found in another server certificate. That downloaded CRL had a different scope than the server certificate matched later against. Which leads me to the following question: is a CRL not only unique by its Issuer Name and its Authority key ID, but also by its Scope, or to be more precise, but its "IDP - FullName" attribute? Furthermore, how can a unique URI represent a "scope". In our case, the server certificate had as CRLDP "URI1" when the CRL had as only IDP field: FullName: URI2. Hence, non-matching scopes? To my understanding, multiple CRLDP were used to provide some kind of redundancy. But is it possible that an issuer, with a given subject name and subject key id, issues various CRLs with different sets of revoked certificates, in order to partition its set of all revoked certificates, differing by IDP attribute? Or would these CRLs only have different IDPs but still the same content (same set of revoked certificates). Thank you in advance for your explanations. Kind regards, Franck -- franck youssef junior engineer open systems ag f...@open.ch http://www.open.ch On Jul 12, 2013, at 6:51 PM, Stephen Henson via RT wrote: > On Fri Jul 12 14:22:46 2013, steve wrote: >> >> Obviously the loop shouldn't happen: I'll look into fixing that. >> > > Should be fixed with this: > > http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4b26645c1a71cf9ce489e4f79fc836760b670ffe > > Regards, Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3090] Infinite loop in openssl s_client when verify error Different CRL scope occurs
On Fri Jul 12 14:22:46 2013, steve wrote: > > Obviously the loop shouldn't happen: I'll look into fixing that. > Should be fixed with this: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4b26645c1a71cf9ce489e4f79fc836760b670ffe Regards, Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3090] Infinite loop in openssl s_client when verify error Different CRL scope occurs
On Thu Jul 11 23:50:49 2013, f...@open.ch wrote: > > Following bug occurred with s_client under > * OpenSSL 1.0.1c 10 May 2012 > * OpenSSL 1.0.1e 11 Feb 2013. > > However, not triggered with s_client under > * OpenSSL 0.9.8x 10 May 2012. > > API calls tested and failed under > * OpenSSL 1.0.1c 10 May 2012. > > By connecting with s_client to https://www.wordpress.com for instance, > and performing CRL checks, s_client gets stucked when comparing the > server certificate to the corresponding CRL: > I downloaded the corresponding server CRL from www.wordpress.com and don't get that issue. I can however reproduce it when I use one of your supplied CRLs with that site and checking through the CRL shows that its scope doesn't match the server. I've not had a chance to try the other sites yet. The s_client utility is somewhat artificial in that it tries to continue after any and all verification errors: if a real application did that it would have zero security. If you include the option -verify_return_error to s_client only the first verification error is noted and you shouldn't get the loop any more. Obviously the loop shouldn't happen: I'll look into fixing that. Steve, -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
