On 2009.10.12 at 14:49:23 +0200, Dr. Stephen Henson wrote: > On Mon, Oct 12, 2009, Victor B. Wagner wrote: > > > > > BTW, it seems that most applications which actualy use CRLs, such as > > Apache, openvpn and stunnel, do implement lookup of certicate in the CRL > > in its own code, not relying on X509_V_FLAG_CRL_CHECK in X509_STORE. > > > > > > In some cases CRL lookup is done manually because the code originates from a > time when OpenSSL didn't perform its own CRL lookup.
I can provide in some reasonable timeframe (say, this week) a patch with following functionality: 1. Somehow document X509_STORE object. It would require proofreading, because I do not have experience with big certification authorities with multimegabyte CRLs and multilevel secondary CA hierarchy (where security problems you mention are applicable). But I'm sure it is better than nothing 2. Make X509_LOOKUP_hash_dir lookup method honour cache field in the X509_STORE structure. (I think that it is better to make this field a bit mask and interpret constants X509_LU_CERT and X509_LU_CRL as bit flags, but it would conflict with X509_LU_PKEY constant, which seems to be unused anyway. But for first time handle this field as boolean flag is better than nothing) 3. Make X509_LOOKUP_hash_dir check notAfter field of certificate and nextUpdate field of CRL and attempt to reload CRL/certificate from disk if cached copy in the memory have been expired. Does this plan seems to be acceptable intermediate solution? ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org