On Wed, Jun 25, 2003, Lee Dilkie wrote: > > It always assumes that a certifcate will have an accessible > > current CRL. As I > > mentioned the absence of a CRLDP extension doesn't > > necessarily mean that the CA > > doesn't issue CRLs: just that it doesn't give details about > > how to download > > them in the certificate. > > > > Steve. > > Ok, so I didn't missunderstand. My problem is this. Some CA's issue CRL's > and some don't. The crl extension is the only way to know for sure that > there is supposed to be a crl for an issued certificates. I fully agree with > returning a verification failure if that crl isn't available. > > However, the case of a certificate without a crl extension is more > difficult. It's not possible to know if there is an out-of-band crl or not. > I would think a warning would be a better thing to give than an error. Or > perhaps a(nother) flag to indicate that you wish to ignore crl-not-found > errors for certificates with no crl extensions. Otherwise we end up with the > case we have here. Someone wants to turn on crl checking because thats the > right and secure thing to do, but the build-in verify is too strict and is > not returning useful results. Short of writing his own verify code (a fairly > major effort to get right) I worry that this will discourage using the crl > checking features and we end up poorer off, security wise. >
There isn't a mechanism for issuing a warning in the verify code at present. The behaviour OpenSSL exhibits is its default behaviour. To modify this an application doesn't have to write its own verify code: it just needs to handle the CRL not found error in the verify callback. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
