[openssl-dev] Clear X509 OBJECT cache
Dr. Stephen Henson
steve at openssl.org
Wed Jul 20 14:11:53 UTC 2016
On Wed, Jul 20, 2016, Dr. Stephen Henson wrote:
> On Wed, Jul 20, 2016, Dr. Stephen Henson wrote:
>
> > On Wed, Jul 20, 2016, Patel, Anirudh (Anirudh) wrote:
> >
> > > "X509_LOOKUP_hash_dir is a more advanced method, which loads certificates
> > > and CRLs on demand, and caches them in memory once they are loaded. As of
> > > OpenSSL 1.0.0, it also checks for newer CRLs upon each lookup, so that newer
> > > CRLs are as soon as they appear in the directory. When checking for new CRLs
> > > once one CRL for given hash value is loaded, hash_dir lookup method checks
> > > only for certificates with sequence number greater than that of the already
> > > cached CRL" - This certainly not happens. It should have stated that only
> > > unique file names will be loaded for once from the disk and the new ones for
> > > the same issuer will not be looked up even if you change the sequence
> > > number.
> > >
> >
> > They should be looked up: if they aren't this is a bug.
> >
> > The problem is that unless the current time exceeds the nextUpdate field of
> > the new CRL it wont be used: it will use the first one where the current time
> > is between lastUpdate and nextUpdate.
> >
> > When you added a new CRL was it just "newer" (i.e. thisUpdate later than the
> > the new CRL wasn't used that's a bug which should be fixed.
> >
>
> Argh... I mean "lastUpdate" not "lastUpdate".
>
Oops.. ;-)
Err... I'll try that again. I meant "lastUpdate" not "thisUpdate".
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list