[openssl-dev] [openssl.org #4615] Cache utility behaving strange with X509_LOOKUP_add_dir

[Patel, Anirudh (Anirudh)]

Thanks a lot !!! Will definitely try it out :)

-----Original Message-----
From: openssl-dev [mailto:openssl-dev-bounces at openssl.org] On Behalf Of Stephen Henson via RT
Sent: Friday, July 22, 2016 6:30 PM
To: patel3.anirudh at gmail.com
Cc: openssl-dev at openssl.org
Subject: [openssl-dev] [openssl.org #4615] Cache utility behaving strange with X509_LOOKUP_add_dir

On Tue Jul 19 22:23:56 2016, steve wrote:
>
> If there are multiple CRLs with the appropriate scope then the first 
> one where the current time falls between lastUpdate and nextUpdate is 
> used.
>
> It is possible to dynamically update CRLs but currently only the time 
> criteria is used. So if the first one fails the time test the next is 
> used.
> This isn't
> ideal and something relying on the most recent or the highest CRL 
> number would be preferable.
>

Please try the attached patch. This should end up using the most recent CRL instead of the first one it sees. I've done some checks and dynamic update works with this change. Note that if you happen to have two CRLs with an identical lastUpdate field (down to the second) then it will just use the first CRL it encounters again. This shouldn't be a problem in practice.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.openssl.org&d=CwIDaQ&c=BFpWQw8bsuKpl1SgiZH64Q&r=r_yFHjnA3pyorIMQVU-vjyndTmY6-rsuMCBf8EzS6oU&m=Bp9lSVfhFc-th0U-IyFkeQcZQug-CiqCOfq-N31Qu2s&s=62lTiIwo2lck_8lcBo4hTfIoJrhOkXQVrqZ2t74883E&e= 

--
Ticket here: https://urldefense.proofpoint.com/v2/url?u=http-3A__rt.openssl.org_Ticket_Display.html-3Fid-3D4615&d=CwIDaQ&c=BFpWQw8bsuKpl1SgiZH64Q&r=r_yFHjnA3pyorIMQVU-vjyndTmY6-rsuMCBf8EzS6oU&m=Bp9lSVfhFc-th0U-IyFkeQcZQug-CiqCOfq-N31Qu2s&s=LPnwRaPZtcWPkD-YcbSu1TqJ_bz0Y472yAqF0f2ULFM&e=
Please log in as guest with password guest if prompted