luaossl icon indicating copy to clipboard operation
luaossl copied to clipboard

Published 20 hours ago verified publisher icon wahern

src/openssl.c: enable check for revocation if CRL is added to store

Open fffonion opened this issue 5 years ago • 4 comments

fffonion avatar Feb 26 '20 22:02 fffonion

Why wouldn't we turn this on all the time? Or expose it so a user can turn the flag on/off as they want?

daurnimator avatar Jul 05 '20 09:07 daurnimator

@daurnimator If we set the X509_V_FLAG_CRL_CHECK flag but no CRL is added to the store, the verification will always fail with unable to get certificate CRL and this might break existing application. But it's also true that if some applications relies on the current behaviour that CRL never got checked even if it's added, they will also break, although they shouldn't in the first place. I agree exposing it will be a sane approach regarding breaking changes, though there'll be more diff. I can make that change it it's okay.

fffonion avatar Jul 06 '20 11:07 fffonion

I agree exposing it will be a sane approach regarding breaking changes, though there'll be more diff. I can make that change it it's okay.

would it make sense to expose all the verification flags? X509_V_FLAG_CRL_CHECK/X509_V_FLAG_CRL_CHECK_ALL/X509_V_FLAG_EXTENDED_CRL_SUPPORT/X509_V_FLAG_EXTENDED_CRL_SUPPORT/etc.

daurnimator avatar Jul 06 '20 12:07 daurnimator

Yeah good point to expose all CRL verification flags.

fffonion avatar Jul 06 '20 12:07 fffonion