[openssl-dev] [openssl.org #4615] Cache utility behaving strange with X509_LOOKUP_add_dir
Anirudh Patel via RT
rt at openssl.org
Thu Jul 14 11:25:22 UTC 2016
Hi,
I have a query related to how these APIs X509_STORE_add_lookup()
and X509_LOOKUP_add_dir() work. Let me give you a brief explanation of what
I am doing:
Purpose was to add lookup for CRLs.
First when my server starts and my SSL initializes I have successfully
created a store to which lookup has been added for CRL directory.
- pLookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
- X509_LOOKUP_add_dir(pLookup, mCRLPath.c_str(), X509_FILETYPE_PEM)
Example CRL Directory: /var/cert/CRL/
Scenario:
1) When the system start no CRL files are present in the CRL Directory
2) Client_1 initiates a connection to my server (using openssl s_client)
3) Openssl does the lookup of CRLs for the corresponding (Sub) CAs and does
not find anything thus, giving error in the verify_callback
(UNABLE_TO_GET_CRL). In the application code I have handled these
errors gracefully Callback is again called for further validation and the
connection is accepted.
*Result: Satisfied*
1) Now, I place two CRLs (Sub CA,Root CA) in the CRL directory (server was
still up and I did not stopped it)
I have created a crl -hash (issuer hash) and linked them to CRL pem
certificates.
*$hash(rootca).r0 -> root_ca.pem*
*$hash(subca).r0 -> sub_ca.pem*
2) Client_1 again initiates a connection to my server (using openssl
s_client) (client certificate chain is : ID/Sub CA/Root CA)
3) Openssl does a lookup of CRLs and does not throw any error. Validation
happened with verify_callback getting invoked 3 times with preverify_ok =
1. Client connection is accepted
*Result: Satisfied*
1) Now, I removed the above CRL files (Sub CA/Root CA) from the CRL
directory. Based on the manual page these CRLs should be now in the cached
memory of X509_OBJECT.
2) I repeated steps (2) and (3). Connection gets accepted from the client.
Everything still works fine because openssl maintined CRL files in its
cache and found them during the lookup.
*Result: Satisfied*
Now from here the problem starts:
=========================
1) My Sub_CA revoked Client_1 certificate (since Sub_CA was the issuing CA
in the first place)
2) I recreated Sub_CA CRL and placed it in the CRL Directory.
3) Created the hash and linked it as follows:
*$hash(sub_ca).r1* -> sub_ca.pem (hoping that openssl still has
$hash(sub_ca).r0 in its cache, since above we have seen that the lookup
worked even when I removed the CRL files from the CRL Directory)
4) Client_1 initiates a connection to my server and gets accepted
successfully ==== Should Not Have Happened
Based on the manual page for *X509_LOOKUP_hash_dir
- https://www.openssl.org/docs/manmaster/crypto/X509_LOOKUP_file.html
<https://www.openssl.org/docs/manmaster/crypto/X509_LOOKUP_file.html>*
> When checking for new CRLs once one CRL for given hash value is loaded,
> hash_dir lookup method checks only for certificates with sequence number
> greater than that of the already cached CRL.
Since, the sequence number has changed from r0 to r1 for same issuer
(sub_ca in my case) openssl should have done a lookup and based on the
latest sequence number should have given me an error stating Client
Certificate has been revoked.
Just to let you know, I have tested revoked certificates with the CRL and
it works fine. So no problem with that.
Openssl Version I am using is *OpenSSL 1.0.1e-fips 11 Feb 2013*
Eagerly awaiting your response. Need to implement CRL functionality ASAP
and hoping to get all the help from you guys.
Regards,
Anirudh
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4615
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list