[openssl-dev] Clear X509 OBJECT cache
Patel, Anirudh (Anirudh)
anirudhp at avaya.com
Wed Jul 20 18:04:12 UTC 2016
Thanks a lot for explaining this so clearly.
OLD CRL (present in cache): Last Update: Jul 18 11:42:52 2016 GMT
Next Update: Aug 17 11:42:52 2016 GMT
X509v3 CRL Number: 20480
Got an incoming connection when the current time was between the above (lastUpdate : current_time : nextUpdate) and thus this file got picked during the lookup, just like you explained:
> When you added a new CRL was it just "newer" (i.e. lastUpdate later than the current one)
Yes.
NEW CRL on disk: Last Update: Jul 18 12:24:39 2016 GMT
Next Update: Aug 17 12:24:39 2016 GMT
X509v3 CRL Number: 20481
Got an incoming connection when the current time is still between OLD CRL's (lastUpdate and nextUpdate) i.e current time has not exceeded OLD CRL's nextUpdate and thus the newer CRL file is never looked up(ignored).
You rightly said that we should have taken CRL Number into consideration during lookups.
So, now can you tell me how to go about it. I cannot restart my server to load the CRL files again. Is it possible for me to clear the cache before validation kicks off for every incoming connection? If yes, please tell me the API which can do this.
Thanks,
Anirudh
-----Original Message-----
From: openssl-dev [mailto:openssl-dev-bounces at openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Wednesday, July 20, 2016 7:42 PM
To: openssl-dev at openssl.org
Subject: Re: [openssl-dev] Clear X509 OBJECT cache
On Wed, Jul 20, 2016, Dr. Stephen Henson wrote:
> On Wed, Jul 20, 2016, Dr. Stephen Henson wrote:
>
> > On Wed, Jul 20, 2016, Patel, Anirudh (Anirudh) wrote:
> >
> > > "X509_LOOKUP_hash_dir is a more advanced method, which loads
> > > certificates and CRLs on demand, and caches them in memory once
> > > they are loaded. As of OpenSSL 1.0.0, it also checks for newer
> > > CRLs upon each lookup, so that newer CRLs are as soon as they
> > > appear in the directory. When checking for new CRLs once one CRL
> > > for given hash value is loaded, hash_dir lookup method checks only
> > > for certificates with sequence number greater than that of the
> > > already cached CRL" - This certainly not happens. It should have
> > > stated that only unique file names will be loaded for once from
> > > the disk and the new ones for the same issuer will not be looked up even if you change the sequence number.
> > >
> >
> > They should be looked up: if they aren't this is a bug.
> >
> > The problem is that unless the current time exceeds the nextUpdate
> > field of the new CRL it wont be used: it will use the first one
> > where the current time is between lastUpdate and nextUpdate.
> >
> > When you added a new CRL was it just "newer" (i.e. thisUpdate later
> > than the the new CRL wasn't used that's a bug which should be fixed.
> >
>
> Argh... I mean "lastUpdate" not "lastUpdate".
>
Oops.. ;-)
Err... I'll try that again. I meant "lastUpdate" not "thisUpdate".
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.openssl.org&d=CwICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=r_yFHjnA3pyorIMQVU-vjyndTmY6-rsuMCBf8EzS6oU&m=PFSfcnSGg1bGMDtJ40-ga01mSVP5ue8Pkfes0hfaw-E&s=_B-3I5EwxUCu1umKQkjmPAo0rDCElpGg0akAD6ecDcU&e=
--
openssl-dev mailing list
To unsubscribe: https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Ddev&d=CwICAg&c=BFpWQw8bsuKpl1SgiZH64Q&r=r_yFHjnA3pyorIMQVU-vjyndTmY6-rsuMCBf8EzS6oU&m=PFSfcnSGg1bGMDtJ40-ga01mSVP5ue8Pkfes0hfaw-E&s=e09sSwcDm-McZPDbgwFI6MlsKM9oiwB0pgLEhvlKvg4&e=
More information about the openssl-dev
mailing list