[openssl-dev] [openssl.org #4615] AutoReply: Cache utility behaving strange with X509_LOOKUP_add_dir

Anirudh Patel via RT rt at openssl.org
Thu Jul 14 12:22:08 UTC 2016 

On Thu, Jul 14, 2016 at 4:55 PM, The default queue via RT <rt at openssl.org>
wrote:

>
> Greetings,
>
> This message has been automatically generated in response to the
> creation of a trouble ticket regarding:
>         "Cache utility behaving strange with X509_LOOKUP_add_dir",
> a summary of which appears below.
>
> There is no need to reply to this message right now.  Your ticket has been
> assigned an ID of [openssl.org #4615].
>
> Please include the string:
>
>          [openssl.org #4615]
>
> in the subject line of all future correspondence about this issue. To do
> so,
> you may reply to this message.
>
>                         Thank you,
>                         rt at openssl.org
>
> -------------------------------------------------------------------------
> Hi,
>
> I have a query related to how these APIs X509_STORE_add_lookup()
> and X509_LOOKUP_add_dir() work. Let me give you a brief explanation of what
> I am doing:
>
> Purpose was to add lookup for CRLs.
>
> First when my server starts and my SSL initializes I have successfully
> created a store to which lookup has been added for CRL directory.
>
>    - pLookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
>    - X509_LOOKUP_add_dir(pLookup, mCRLPath.c_str(), X509_FILETYPE_PEM)
>
> Example CRL Directory: /var/cert/CRL/
> Scenario:
> 1) When the system start no CRL files are present in the CRL Directory
> 2) Client_1 initiates a connection to my server (using openssl s_client)
> 3) Openssl does the lookup of CRLs for the corresponding (Sub) CAs and does
> not find anything thus, giving error in the verify_callback
> (UNABLE_TO_GET_CRL). In the application code I have     handled these
> errors gracefully Callback is again called for further validation and the
> connection is accepted.
> *Result: Satisfied*
>
> 1) Now, I place two CRLs (Sub CA,Root CA) in the CRL directory (server was
> still up and I did not stopped it)
>     I have created a crl -hash (issuer hash) and linked them to CRL pem
> certificates.
>     *$hash(rootca).r0 -> root_ca.pem*
>     *$hash(subca).r0 -> sub_ca.pem*
> 2) Client_1 again initiates a connection to my server (using openssl
> s_client) (client certificate chain is : ID/Sub CA/Root CA)
> 3) Openssl does a lookup of CRLs and does not throw any error. Validation
> happened with verify_callback getting invoked 3 times with preverify_ok =
> 1. Client connection is accepted
> *Result: Satisfied*
>
> 1) Now, I removed the above CRL files (Sub CA/Root CA) from the CRL
> directory. Based on the manual page these CRLs should be now in the cached
> memory of X509_OBJECT.
> 2) I repeated steps (2) and (3). Connection gets accepted from the client.
> Everything still works fine because openssl maintined CRL files in its
> cache and found them during the lookup.
> *Result: Satisfied*
>
> Now from here the problem starts:
> =========================
> 1) My Sub_CA revoked Client_1 certificate (since Sub_CA was the issuing CA
> in the first place)
> 2) I recreated Sub_CA CRL and placed it in the CRL Directory.
> 3) Created the hash and linked it as follows:
>     *$hash(sub_ca).r1* -> sub_ca.pem  (hoping that openssl still has
> $hash(sub_ca).r0 in its cache, since above we have seen that the lookup
> worked even when I removed the CRL files from       the CRL Directory)
> 4) Client_1 initiates a connection to my server and gets accepted
> successfully ==== Should Not Have Happened
> Based on the manual page for *X509_LOOKUP_hash_dir
> - https://www.openssl.org/docs/manmaster/crypto/X509_LOOKUP_file.html
> <https://www.openssl.org/docs/manmaster/crypto/X509_LOOKUP_file.html>*
>
> > When checking for new CRLs once one CRL for given hash value is loaded,
> > hash_dir lookup method checks only for certificates with sequence number
> > greater than that of the already cached CRL.
>
> Since, the sequence number has changed from r0 to r1 for same issuer
> (sub_ca in my case) openssl should have done a lookup and based on the
> latest sequence number should have given me an error stating Client
> Certificate has been revoked.
>
> Just to let you know, I have tested revoked certificates with the CRL and
> it works fine. So no problem with that.
> Openssl Version I am using is *OpenSSL 1.0.1e-fips 11 Feb 2013*
>
> Eagerly awaiting your response. Need to implement CRL functionality ASAP
> and hoping to get all the help from you guys.
>
> Regards,
> Anirudh
>
>
> -------------------------------------------------------------------------
> http://rt.openssl.org/Ticket/Display.html?id=4615&user=guest&pass=guest
>

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4615
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list