Discussion:
[openssl-dev] [openssl.org #4615] Cache utility behaving strange with X509_LOOKUP_add_dir
(too old to reply)
Stephen Henson via RT
2016-07-22 12:59:46 UTC
Permalink
If there are multiple CRLs with the appropriate scope then the first
one where
the current time falls between lastUpdate and nextUpdate is used.
It is possible to dynamically update CRLs but currently only the time
criteria
is used. So if the first one fails the time test the next is used.
This isn't
ideal and something relying on the most recent or the highest CRL
number would
be preferable.
Please try the attached patch. This should end up using the most recent CRL
instead of the first one it sees. I've done some checks and dynamic update
works with this change. Note that if you happen to have two CRLs with an
identical lastUpdate field (down to the second) then it will just use the first
CRL it encounters again. This shouldn't be a problem in practice.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4615
Please log in as guest with password guest if prompted
Patel, Anirudh (Anirudh)
2016-07-24 18:18:03 UTC
Permalink
Thanks a lot !!! Will definitely try it out :)

-----Original Message-----
From: openssl-dev [mailto:openssl-dev-***@openssl.org] On Behalf Of Stephen Henson via RT
Sent: Friday, July 22, 2016 6:30 PM
To: ***@gmail.com
Cc: openssl-***@openssl.org
Subject: [openssl-dev] [openssl.org #4615] Cache utility behaving strange with X509_LOOKUP_add_dir
If there are multiple CRLs with the appropriate scope then the first
one where the current time falls between lastUpdate and nextUpdate is
used.
It is possible to dynamically update CRLs but currently only the time
criteria is used. So if the first one fails the time test the next is
used.
This isn't
ideal and something relying on the most recent or the highest CRL
number would be preferable.
Please try the attached patch. This should end up using the most recent CRL instead of the first one it sees. I've done some checks and dynamic update works with this change. Note that if you happen to have two CRLs with an identical lastUpdate field (down to the second) then it will just use the first CRL it encounters again. This shouldn't be a problem in practice.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.openssl.org&d=CwIDaQ&c=BFpWQw8bsuKpl1SgiZH64Q&r=r_yFHjnA3pyorIMQVU-vjyndTmY6-rsuMCBf8EzS6oU&m=Bp9lSVfhFc-th0U-IyFkeQcZQug-CiqCOfq-N31Qu2s&s=62lTiIwo2lck_8lcBo4hTfIoJrhOkXQVrqZ2t74883E&e=

--
Ticket here: https://urldefense.proofpoint.com/v2/url?u=http-3A__rt.openssl.org_Ticket_Display.html-3Fid-3D4615&d=CwIDaQ&c=BFpWQw8bsuKpl1SgiZH64Q&r=r_yFHjnA3pyorIMQVU-vjyndTmY6-rsuMCBf8EzS6oU&m=Bp9lSVfhFc-th0U-IyFkeQcZQug-CiqCOfq-N31Qu2s&s=LPnwRaPZtcWPkD-YcbSu1TqJ_bz0Y472yAqF0f2ULFM&e=
Please log in as guest with password guest if prompted
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Patel, Anirudh via RT
2016-07-24 18:29:16 UTC
Permalink
Thanks a lot !!! Will definitely try it out :)

-----Original Message-----
From: openssl-dev [mailto:openssl-dev-***@openssl.org] On Behalf Of Stephen Henson via RT
Sent: Friday, July 22, 2016 6:30 PM
To: ***@gmail.com
Cc: openssl-***@openssl.org
Subject: [openssl-dev] [openssl.org #4615] Cache utility behaving strange with X509_LOOKUP_add_dir
If there are multiple CRLs with the appropriate scope then the first
one where the current time falls between lastUpdate and nextUpdate is
used.
It is possible to dynamically update CRLs but currently only the time
criteria is used. So if the first one fails the time test the next is
used.
This isn't
ideal and something relying on the most recent or the highest CRL
number would be preferable.
Please try the attached patch. This should end up using the most recent CRL instead of the first one it sees. I've done some checks and dynamic update works with this change. Note that if you happen to have two CRLs with an identical lastUpdate field (down to the second) then it will just use the first CRL it encounters again. This shouldn't be a problem in practice.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.openssl.org&d=CwIDaQ&c=BFpWQw8bsuKpl1SgiZH64Q&r=r_yFHjnA3pyorIMQVU-vjyndTmY6-rsuMCBf8EzS6oU&m=Bp9lSVfhFc-th0U-IyFkeQcZQug-CiqCOfq-N31Qu2s&s=62lTiIwo2lck_8lcBo4hTfIoJrhOkXQVrqZ2t74883E&e=

--
Ticket here: https://urldefense.proofpoint.com/v2/url?u=http-3A__rt.openssl.org_Ticket_Display.html-3Fid-3D4615&d=CwIDaQ&c=BFpWQw8bsuKpl1SgiZH64Q&r=r_yFHjnA3pyorIMQVU-vjyndTmY6-rsuMCBf8EzS6oU&m=Bp9lSVfhFc-th0U-IyFkeQcZQug-CiqCOfq-N31Qu2s&s=LPnwRaPZtcWPkD-YcbSu1TqJ_bz0Y472yAqF0f2ULFM&e=
Please log in as guest with password guest if prompted
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4615
Please log in as guest with password guest if prompted
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Loading...