PS a écrit :
Hi All,
I was under the impression that openssl allows loading multiple CRLs
for the same issuer. But, this does not seem to be the case as is
proved by using "openssl verify".
$ ls -l ./ca/
total 24
lrwxrwxrwx 1 pshah users 10 Jan 28 21:56 ba4bb3b6.0 ->
cacert.pem -----> the CA cert
lrwxrwxrwx 1 pshah users 14 Jan 28 21:56 ba4bb3b6.r0 ->
revoked_48.pem ----> revokes only cert48.pem
lrwxrwxrwx 1 pshah users 14 Jan 28 21:56 ba4bb3b6.r1 ->
revoked_49.pem -----> revokes only cert49.pem
-rw-r--r-- 1 pshah users 1233 Jan 28 17:09 cacert.pem
-rw-r--r-- 1 pshah users 560 Jan 28 17:10 revoked_48.pem
-rw-r--r-- 1 pshah users 560 Jan 28 17:10 revoked_49.pem
$ openssl verify -CApath ./ca/ -crl_check -verbose cert49.pem
cert49.pem: OK
$ openssl verify -CApath ./ca/ -crl_check -verbose cert48.pem
cert48.pem: /C=--/ST=California/L=San Francisco/O=Riverbed Technology,
Inc./OU=Steelhead/CN=hw1-sh18/emailaddress=fakeem...@example.com
<mailto:fakeem...@example.com>
error 23 at 0 depth lookup:certificate revoked
29615:error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert
already in hash table:x509_lu.c:418:
A CRL ( Certificat revocation list) is the list of ALL the revoked
certificates at the time it is issued
So if at time t1 a certificate 48 is revoked
then all the subsequent CRLs MUST indicate that the certificate 48 as
revoked
If later at time t2 the certificate 49 is revoked
hen all the subsequent CRLs MUST indicate that both certificate 48 and
certificate 49 arte revoked
Thus only the lasT CRL has to considered . Since the delivery times of
the CRLs are close together
it is not easy to check into the example which is ithe last CRL
So, as seen above, the second CRL is not loaded (and I have confirmed
this with gdb.).
A second related question is that even if openssl allowed loading
multiple CRL for the same issuer, it looks as if openssl will only use
the first unexpired CRL from the list. There might be cases where you
would have a fresher unexpired CRL which might not get picked and
result in wrong verification result.
If a CRL is expired this means that a new CRL should have been delivered
and you have not received it.
To avoid dangerous forbidden access every access should be forbidden.
To take into account unexpected urgent problem a new CRL may be issued
even when the previous one is not expired.
I hope this help.
Dominique LOHEZ
A third question is that what if I had two valid CRLs from the same
issuer (CRL1 revoked cert 1 and CRL2 revokes cert 2), then when cert 2
is to be verified, it would wrongly be considered unrevoked.
Thanks,
Paras
--
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France
Phone : +33 (0)3 20 30 40 71
Email: dominique.lo...@isen.fr
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
