Bonjour,
Le 27/08/2013 18:14, Thaddeus Fuller a écrit :
Hello all,
I had a couple questions about X509 CRLs.
1) It appears that OpenSSL does not check my tree against the CRLs I provide.
If I revoke my own leaf certificate, and establish mutually-authenticated SSL,
OpenSSL does not prevent the connection from going through. However if I revoke
the peer's leaf certificate, it will fail with the revoked certificate error.
Is this by intention? Should I manually check my tree against the CRL before
allowing the user to establish a connection?
If A needs to authenticate itself to B, then A presents its own
certificate, and B must validate A's certificate: correct chaining and
revocation status.
A doesn't need to check that its own certificate isn't revoked before
trying to send it to B, that's B's duty.
2) Can a child CA revoke a parent CA? If I import a CRL to my system, should I check only
the children of the CA for a matching serial and mark that certificate
"Revoked", or should I also check the parents for revocation? What about a
certificate that is signed by a parent, but isn't in the child's chain?
A child CA cannot revoke a parent CA, of course. The revocation status
check should be done for each certificate in the chain (except the root,
for not so obvious reasons).
Two example PKI trees:
A -> B -> C -> D
A -> E -> F -> G
Let's say that certificate authority "B" imports a CRL. Which certificates
should be checked for revocation?
If you want to verify certificate D, then you must verify its revocation
status regarding to a CRL produced by C. And then you must verify C's
revocation status according to the CRL produced by B. And finally you
must verify B's revocation status according to the CRL produced by A.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
