[openssl-dev] Clear X509 OBJECT cache
Dr. Stephen Henson
steve at openssl.org
Wed Jul 20 14:07:37 UTC 2016
On Wed, Jul 20, 2016, Patel, Anirudh (Anirudh) wrote:
> "X509_LOOKUP_hash_dir is a more advanced method, which loads certificates
> and CRLs on demand, and caches them in memory once they are loaded. As of
> OpenSSL 1.0.0, it also checks for newer CRLs upon each lookup, so that newer
> CRLs are as soon as they appear in the directory. When checking for new CRLs
> once one CRL for given hash value is loaded, hash_dir lookup method checks
> only for certificates with sequence number greater than that of the already
> cached CRL" - This certainly not happens. It should have stated that only
> unique file names will be loaded for once from the disk and the new ones for
> the same issuer will not be looked up even if you change the sequence
> number.
>
They should be looked up: if they aren't this is a bug.
The problem is that unless the current time exceeds the nextUpdate field of
the new CRL it wont be used: it will use the first one where the current time
is between lastUpdate and nextUpdate.
When you added a new CRL was it just "newer" (i.e. thisUpdate later than the
current one) or had the current time exceeded nextUpdate? If the latter and
the new CRL wasn't used that's a bug which should be fixed.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list