On Tuesday 30 August 2011 12:29:23 Raphael Geissert wrote: > AFAIR they only know about CRL (Certificate Revocation List,) which only > allows for one issuer per-file. > > What I can't tell for sure from the documentation is whether OpenSSL and > GnuTLS do check the CRL's validity (signature and time.) It doesn't seem > like they do. > This is relevant if we were to ship them in ca-certificates.
Just for future reference, after further investigation: OpenSSL _does_ check the CRL's signature. CRLs should be available, via symlinks for example, in /etc/ssl/certs[1] and c_rehash run on that directory. Applications using OpenSSL may instruct it to load the CRLs in two different ways: by manually loading every single CRL, or by adding the /etc/ssl/certs path to the X509 store. However, failure to find a CRL for the signer's cert results in validation failure. What I still haven't verified is that if the presence or absence of the CRL Distribution Points leads to a behaviour change (I'd assume it doesn't.) GnuTLS does seem to require that every CRL is loaded. Haven't tested its behaviours. [1] A different directory may be used, but for compatibility with openssl(1) the same directory should be used. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
