On Mon, Oct 12, 2009, Victor B. Wagner wrote: > On 2009.10.12 at 14:49:23 +0200, Dr. Stephen Henson wrote: > > > On Mon, Oct 12, 2009, Victor B. Wagner wrote: > > > > > > > > BTW, it seems that most applications which actualy use CRLs, such as > > > Apache, openvpn and stunnel, do implement lookup of certicate in the CRL > > > in its own code, not relying on X509_V_FLAG_CRL_CHECK in X509_STORE. > > > > > > > > > > In some cases CRL lookup is done manually because the code originates from a > > time when OpenSSL didn't perform its own CRL lookup. > > I can provide in some reasonable timeframe (say, this week) a patch with > following functionality: > > 1. Somehow document X509_STORE object. It would require proofreading, > because I do not have experience with big certification authorities with > multimegabyte CRLs and multilevel secondary CA hierarchy (where security > problems you mention are applicable). But I'm sure it is better than > nothing > > 2. Make X509_LOOKUP_hash_dir lookup method honour cache field in the > X509_STORE structure. (I think that it is better to make this field > a bit mask and interpret constants X509_LU_CERT and X509_LU_CRL as > bit flags, but it would conflict with X509_LU_PKEY constant, which > seems to be unused anyway. But for first time handle this field as > boolean flag is better than nothing) > > 3. Make X509_LOOKUP_hash_dir check notAfter field of certificate and > nextUpdate field of CRL and attempt to reload CRL/certificate from > disk if cached copy in the memory have been expired. > > Does this plan seems to be acceptable intermediate solution? >
Well we are in the middle of a beta relase cycle so making incompatible changes and/or major new functionality isn't an option. The functionality for #3 should already be in 1.0.0. Though it permits CRLs to coexist with different dates. Handling multi-megabyte CRLs is problematical in any cases. OpenSSL typically trebles the size of them at least when storing in memory for example. Servers which use fork() and are not multithreaded will suffer big perormance hits reloading such CRLs. Documentation I think should really concentrate on the verification mechanism and X509_STORE_CTX. X509_STORE is badly broken and was supposed to have been replaced long ago but that hasn't happened for various reasongs. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
