Patel, Anirudh (Anirudh)
2016-07-20 07:27:47 UTC
Hi,
This is related to the X509 store cache (had a similar ticket openssl.org #4615 which I guess has already become stale). But, I believe that the documentation regarding X509_LOOKUP_hash_dir is not at all clear and is quite misleading:
From the manual page: X509_LOOKUP_hash_dir<https://www.openssl.org/docs/manmaster/crypto/X509_LOOKUP_file.html>
"X509_LOOKUP_hash_dir is a more advanced method, which loads certificates and CRLs on demand, and caches them in memory once they are loaded. As of OpenSSL 1.0.0, it also checks for newer CRLs upon each lookup, so that newer CRLs are as soon as they appear in the directory. When checking for new CRLs once one CRL for given hash value is loaded, hash_dir lookup method checks only for certificates with sequence number greater than that of the already cached CRL" - This certainly not happens. It should have stated that only unique file names will be loaded for once from the disk and the new ones for the same issuer will not be looked up even if you change the sequence number. This is a big problem and a difficult one to address, once for a unique issuer name a CRL file is loaded from the disk and stored in the cache, no matter if you replace the old CRL file with a new one, keeping the naming convention to whatever $hash.r0 or$hash.r1 this is never going to be looked up and loaded in the cache since the issuer name is already present in the cache. I guess this should be fixed.
Quoting one of the explanations that I got from you guys:
"The point is that they are loaded when a new file appears, meaning, a file with a name not yet present. Once that file is loaded, it's not been loaded from disk again (as implied by the 'caches'), also not when it changes"
Just to solve my problem:
Is there any way to clear the store cache every time before openssl kicks off with the validation process (invoke X509_verify_cert and the results verify_callback). I would want to clear the cache so that during every (current) lookup at the time of handshake - CRL files present on the disk are referenced and are loaded in the cache (since we cleared it earlier, thus the file name will be unique/new)? Is there any API which clears the cache?
This is related to the X509 store cache (had a similar ticket openssl.org #4615 which I guess has already become stale). But, I believe that the documentation regarding X509_LOOKUP_hash_dir is not at all clear and is quite misleading:
From the manual page: X509_LOOKUP_hash_dir<https://www.openssl.org/docs/manmaster/crypto/X509_LOOKUP_file.html>
"X509_LOOKUP_hash_dir is a more advanced method, which loads certificates and CRLs on demand, and caches them in memory once they are loaded. As of OpenSSL 1.0.0, it also checks for newer CRLs upon each lookup, so that newer CRLs are as soon as they appear in the directory. When checking for new CRLs once one CRL for given hash value is loaded, hash_dir lookup method checks only for certificates with sequence number greater than that of the already cached CRL" - This certainly not happens. It should have stated that only unique file names will be loaded for once from the disk and the new ones for the same issuer will not be looked up even if you change the sequence number. This is a big problem and a difficult one to address, once for a unique issuer name a CRL file is loaded from the disk and stored in the cache, no matter if you replace the old CRL file with a new one, keeping the naming convention to whatever $hash.r0 or$hash.r1 this is never going to be looked up and loaded in the cache since the issuer name is already present in the cache. I guess this should be fixed.
Quoting one of the explanations that I got from you guys:
"The point is that they are loaded when a new file appears, meaning, a file with a name not yet present. Once that file is loaded, it's not been loaded from disk again (as implied by the 'caches'), also not when it changes"
Just to solve my problem:
Is there any way to clear the store cache every time before openssl kicks off with the validation process (invoke X509_verify_cert and the results verify_callback). I would want to clear the cache so that during every (current) lookup at the time of handshake - CRL files present on the disk are referenced and are loaded in the cache (since we cleared it earlier, thus the file name will be unique/new)? Is there any API which clears the cache?