On Wed, Jul 20, 2016, Patel, Anirudh (Anirudh) wrote: > "X509_LOOKUP_hash_dir is a more advanced method, which loads certificates > and CRLs on demand, and caches them in memory once they are loaded. As of > OpenSSL 1.0.0, it also checks for newer CRLs upon each lookup, so that newer > CRLs are as soon as they appear in the directory. When checking for new CRLs > once one CRL for given hash value is loaded, hash_dir lookup method checks > only for certificates with sequence number greater than that of the already > cached CRL" - This certainly not happens. It should have stated that only > unique file names will be loaded for once from the disk and the new ones for > the same issuer will not be looked up even if you change the sequence > number. >
They should be looked up: if they aren't this is a bug. The problem is that unless the current time exceeds the nextUpdate field of the new CRL it wont be used: it will use the first one where the current time is between lastUpdate and nextUpdate. When you added a new CRL was it just "newer" (i.e. thisUpdate later than the current one) or had the current time exceeded nextUpdate? If the latter and the new CRL wasn't used that's a bug which should be fixed. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev