On Wed, 11 May 2005, Thomas NOEL wrote:
> Hello,
>
> Le 11.05.2005 11:49, James Yonan a écrit :
> >>I think there is a security issue with the crl-verify code. OpenVPN only
> >>check the issuer of the CRL, but not the CRL signature.
> >>If you sign a CRL with another CA (even self signed) which
Hello,
(...)
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK);
X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK_ALL);
#endif
(...)>>
With this kind of X509_STORE_CTX, openssl automagically manage all CA
and all CRL included in
Hello,
Le 11.05.2005 11:49, James Yonan a écrit :
I think there is a security issue with the crl-verify code. OpenVPN only
check the issuer of the CRL, but not the CRL signature.
If you sign a CRL with another CA (even self signed) which have the same
DN than the certificate issuer, OpenVPN acc
> Hello,
>
> I think there is a security issue with the crl-verify code. OpenVPN only
> check the issuer of the CRL, but not the CRL signature.
>
> If you sign a CRL with another CA (even self signed) which have the same
> DN than the certificate issuer, OpenVPN accept it as a good CRL : the
>
Hello,
I think there is a security issue with the crl-verify code. OpenVPN only
check the issuer of the CRL, but not the CRL signature.
If you sign a CRL with another CA (even self signed) which have the same
DN than the certificate issuer, OpenVPN accept it as a good CRL : the
server or the
