On Mon, Oct 12, 2009, Victor B. Wagner wrote: > > BTW, it seems that most applications which actualy use CRLs, such as > Apache, openvpn and stunnel, do implement lookup of certicate in the CRL > in its own code, not relying on X509_V_FLAG_CRL_CHECK in X509_STORE. > >
In some cases CRL lookup is done manually because the code originates from a time when OpenSSL didn't perform its own CRL lookup. Some of this mishandles CRLs and doesn't reject CRLs containing unhandled critical extensions. This raises security concerns: for example it would be possible to substitue CRLs of limited scope and fool such applications into thinking revoked certificates were valid. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org