On Mon, Oct 12, 2009, Victor B. Wagner wrote: > > 2. Make X509_LOOKUP_hash_dir lookup method honour cache field in the > X509_STORE structure. (I think that it is better to make this field > a bit mask and interpret constants X509_LU_CERT and X509_LU_CRL as > bit flags, but it would conflict with X509_LU_PKEY constant, which > seems to be unused anyway. But for first time handle this field as > boolean flag is better than nothing) >
Ah I just remembered something about how this works which makes disabling caching more complex. The X509_LOOKUP API retrieves one matching object: that's a limitation of the API. It however populates the cache with all matching objects. The API limitation can be worked around by examining the cache after a lookup. If you disable the cache without having something equivalent to retrieve multiple matching objects you can stop verificaion working properly in some cases, for example: 1. CRLs with only partial scope (deltas and partitioned ones). 2. Certificates with different AKID but same subject names. 3. Historical checks on chains using certificates and/or CRLs that are not current. Admittedly #3 isn't likely to be used much but in the case of #1 and #2 some paths will just fail to verify. We'd at least need to document that: in many cases such features wont be used so it wont matter. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
