An expired CRL should not override a successful match in other CRL

Open per-allansson opened this issue 1 year ago • 2 comments

Description

If we have an expired CRL and loads another non-expired CRL, the current CRL check ends up returning the error from checking the CRL next date, while it found a good CRL match before that. This can be seen happening in wolfSSL debug logs here for example:

[2024-04-26T05:45:57.017Z] Info : [Gothenburg 1] Entering CheckCertCRL
[2024-04-26T05:45:57.017Z] Info : [Gothenburg 1] Found CRL Entry on list
[2024-04-26T05:45:57.017Z] Info : [Gothenburg 1] Checking next date validity
[2024-04-26T05:45:57.018Z] Info : [Gothenburg 1] Found CRL Entry on list
[2024-04-26T05:45:57.018Z] Info : [Gothenburg 1] Checking next date validity
[2024-04-26T05:45:57.018Z] Info : [Gothenburg 1] Date AFTER check failed
[2024-04-26T05:45:57.018Z] Info : [Gothenburg 1] CRL next date is no longer valid
[2024-04-26T05:45:57.018Z] Info : [Gothenburg 1]        CRL check not ok
 ...
[2024-04-26T05:45:57.018Z] Info : [Gothenburg 1] verify_callback err: -151

Testing

Verified in internal tests.

Checklist

[ ] added tests
[ ] updated/added doxygen
[ ] updated appropriate READMEs
[ ] Updated manual and documentation

Apr 26 '24 07:04 per-allansson

Can one of the admins verify this patch?

Apr 26 '24 07:04 wolfSSL-Bot

Okay to test. Contributor agreement on file.

Apr 26 '24 13:04 dgarske

wolfssl wolfssl copied to clipboard

An expired CRL should not override a successful match in other CRL

Description

Testing

Checklist

wolfssl
wolfssl copied to clipboard