Hi All, I was under the impression that openssl allows loading multiple CRLs for the same issuer. But, this does not seem to be the case as is proved by using "openssl verify".
$ ls -l ./ca/ total 24 lrwxrwxrwx 1 pshah users 10 Jan 28 21:56 ba4bb3b6.0 -> cacert.pem -----> the CA cert lrwxrwxrwx 1 pshah users 14 Jan 28 21:56 ba4bb3b6.r0 -> revoked_48.pem ----> revokes only cert48.pem lrwxrwxrwx 1 pshah users 14 Jan 28 21:56 ba4bb3b6.r1 -> revoked_49.pem -----> revokes only cert49.pem -rw-r--r-- 1 pshah users 1233 Jan 28 17:09 cacert.pem -rw-r--r-- 1 pshah users 560 Jan 28 17:10 revoked_48.pem -rw-r--r-- 1 pshah users 560 Jan 28 17:10 revoked_49.pem $ openssl verify -CApath ./ca/ -crl_check -verbose cert49.pem cert49.pem: OK $ openssl verify -CApath ./ca/ -crl_check -verbose cert48.pem cert48.pem: /C=--/ST=California/L=San Francisco/O=Riverbed Technology, Inc./OU=Steelhead/CN=hw1-sh18/emailaddress=fakeem...@example.com error 23 at 0 depth lookup:certificate revoked 29615:error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert already in hash table:x509_lu.c:418: So, as seen above, the second CRL is not loaded (and I have confirmed this with gdb.). A second related question is that even if openssl allowed loading multiple CRL for the same issuer, it looks as if openssl will only use the first unexpired CRL from the list. There might be cases where you would have a fresher unexpired CRL which might not get picked and result in wrong verification result. A third question is that what if I had two valid CRLs from the same issuer (CRL1 revoked cert 1 and CRL2 revokes cert 2), then when cert 2 is to be verified, it would wrongly be considered unrevoked. Thanks, Paras
