Hello! On Wed, Mar 08, 2017 at 06:12:32PM +0200, Jürno Ader wrote:
> # HG changeset patch > # User Jürno Ader <jyrn...@gmail.com> > # Date 1488987398 -7200 > # Wed Mar 08 17:36:38 2017 +0200 > # Node ID 9c13ae0d54a75902945bc6ac9bbced1c298fdaa0 > # Parent d450723755728f9d0cc291247b9601e2f3340f19 > SSL: Added crl_check_mode > > Added crl_check_mode flag which can be used to modify flags used for > the X509_STORE created in ngx_ssl_crl. > > This makes it possible to use Estonian Identity card revocation lists with > nginx (see https://trac.nginx.org/nginx/ticket/1094) which previously failed > since the root certificate for ESTEID does not have a proper CRL available. Just for the record: I've again looked at this, and it seems the problem with the CRL is as follows: The root certificate, "EE Certification Centre Root CA", has a CRL available at http://www.sk.ee/repository/crls/eeccrca.crl. This CRL lists Issuing Distrubution Point extension as follows: X509v3 Issuing Distrubution Point: critical Full Name: URI:http://www.sk.ee/repository/crls/eeccrca.crl But there are no CRL Distribution Points in the certificate itself. As a result, OpenSSL refuses to to use this CRL when it tries to verify more than just a leaf certificate, for example: $ openssl verify -CAfile EE_Certification_Centre_Root_CA.pem.crt -CRLfile eeccrca.crl.pem -crl_check_all KLASS3-SK_2010_EECCRCA_SHA384.pem.crt KLASS3-SK_2010_EECCRCA_SHA384.pem.crt: C = EE, O = AS Sertifitseerimiskeskus, CN = EE Certification Centre Root CA, emailAddress = p...@sk.ee error 44 at 1 depth lookup:Different CRL scope This probably should be reported to the sk.ee team, likely they want to fix this. Simply removing the IDP extension from the CRL should do the trick. [...] -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
