On Thu, Jan 09, 2014, Bin Lu wrote: > Here is the problem, in cert_crl(): > > /* The rules changed for this... previously if a CRL contained > * unhandled critical extensions it could still be used to indicate > * a certificate was revoked. This has since been changed since > * critical extension can change the meaning of CRL entries. > */ > if (crl->flags & EXFLAG_CRITICAL) > { > if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) > return 1; > ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; > ok = ctx->verify_cb(0, ctx); > if(!ok) > return 0; > } > > Why are we making this change, skipping the critical CRL extensions? This is > causing all the regressions. In this case, should we expect > X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION instead of the validation result > based on the CRL content? Basically we fail the validation once we encounter > a critical CRL extension, if flag IGNORE_CRITICAL is not set, or succeed if > the flag is set, regardless whatsoever in the CRL ??? >
This is now a requirement of RFC5280 5.2: If a CRL contains a critical extension that the application cannot process, then the application MUST NOT use that CRL to determine the status of certificates. What extension in your CRLs is critical? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org