Hello,
I am a stunnel user, which implements code from mod_ssl for
certificate/CRL verifications.
I noticed a strange behaviour when verifying a CRL which uses the
ssl_callback_SSLVerify_CRL function of mod_ssl :
If the CRLfile is not a valid CRL, stunnel starts and ignores the CRLfile.
Then, for any new connection, logs show "CRL: verification passed",
which means that ssl_callback_SSLVerify_CRL returned TRUE.
-> NOT OK, IMO.
examples of wrong CRLs : a CRL issued by an unknown CA or a
certificate in the PEM format.
I propose the attached patch to modify behaviour of the
ssl_callback_SSLVerify_CRL function, ie return false if no CRL
corresponding to the issuer of each certificate of the chain is found.
--
Christophe Nanteuil
--- ssl_engine_kernel.c.saved 2009-02-03 18:47:51.000000000 +0100
+++ ssl_engine_kernel.c 2009-02-03 18:55:12.000000000 +0100
@@ -1615,6 +1615,7 @@
char *cp;
char *cp2;
ASN1_TIME *t;
+ BOOL good_crl = FALSE;
/*
* Unless a revocation store for CRLs was created we
@@ -1724,6 +1725,7 @@
return FALSE;
}
X509_OBJECT_free_contents(&obj);
+ good_crl = TRUE;
}
/*
@@ -1764,8 +1766,9 @@
}
}
X509_OBJECT_free_contents(&obj);
+ good_crl = TRUE;
}
- return ok;
+ return (good_crl?ok:FALSE);
}
/*
