On Thu, Jan 09, 2014, Bin Lu wrote:
> Here is the problem, in cert_crl():
>
> /* The rules changed for this... previously if a CRL contained
> * unhandled critical extensions it could still be used to indicate
> * a certificate was revoked. This has since been changed since
> * critical extension can change the meaning of CRL entries.
> */
> if (crl->flags & EXFLAG_CRITICAL)
> {
> if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
> return 1;
> ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
> ok = ctx->verify_cb(0, ctx);
> if(!ok)
> return 0;
> }
>
> Why are we making this change, skipping the critical CRL extensions? This is
> causing all the regressions. In this case, should we expect
> X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION instead of the validation result
> based on the CRL content? Basically we fail the validation once we encounter
> a critical CRL extension, if flag IGNORE_CRITICAL is not set, or succeed if
> the flag is set, regardless whatsoever in the CRL ???
>
This is now a requirement of RFC5280 5.2:
If a CRL contains a critical extension
that the application cannot process, then the application MUST NOT
use that CRL to determine the status of certificates.
What extension in your CRLs is critical?
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
