[openssl-dev] [openssl.org #4615] Cache utility behaving strange with X509_LOOKUP_add_dir
Stephen Henson via RT
rt at openssl.org
Fri Jul 22 12:59:46 UTC 2016
On Tue Jul 19 22:23:56 2016, steve wrote:
>
> If there are multiple CRLs with the appropriate scope then the first
> one where
> the current time falls between lastUpdate and nextUpdate is used.
>
> It is possible to dynamically update CRLs but currently only the time
> criteria
> is used. So if the first one fails the time test the next is used.
> This isn't
> ideal and something relying on the most recent or the highest CRL
> number would
> be preferable.
>
Please try the attached patch. This should end up using the most recent CRL
instead of the first one it sees. I've done some checks and dynamic update
works with this change. Note that if you happen to have two CRLs with an
identical lastUpdate field (down to the second) then it will just use the first
CRL it encounters again. This shouldn't be a problem in practice.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4615
Please log in as guest with password guest if prompted
-------------- next part --------------
A non-text attachment was scrubbed...
Name: crl.pat
Type: application/octet-stream
Size: 1186 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160722/a1a24228/attachment.obj>
More information about the openssl-dev
mailing list