[openssl-users] OCSP service dependant on time valid CRLs

daniel bryan danbryan80 at gmail.com
Thu Dec 10 15:27:10 UTC 2015


I was researching how expired CRLs affect revocation checking via openssl.

* TEST #1: *The first test was to find out what status is returned when i
verify a certificate against the CRL:

[dan at canttouchthis PKI]$ openssl verify -CAfile CAS/cabundle.pem -CRLfile
CRLS/ABC-expired.crl -crl_check CERTS/0x500c8bd-revoked.pem

*CERTS/0x500c8bd-revoked.pem: C = us, O = ORG, OU = LAB, OU = ABC, OU =
D002, CN = test error 12 at 0 depth lookup:CRL has expiredC = us, O = ORG,
OU = LAB, OU = ABC, OU = D002, CN = test error 23 at 0 depth
lookup:certificate revoked*

as you can see the client *WAS* informed the certificate was *revoked*,
even though the CRL was expired.

*TEST #2: *Next test was using OCSP:

[dan at canttouchthis PKI]$ openssl ocsp -CAfile CAS/cabundle.pem -VAfile
VAS/def_ocsp.pem -issuer CAS/IC\ ABC\ CA3\ DEV.cer -cert
CERTS/0x500c8bd-revoked.pem -url http://ocspresponder:8080

*Response verify OK CERTS/0x500c8bd-revoked.pem: unknown This Update: Dec 9
20:48:26 2015 GMT*

as you can see the client *was NOT *informed the certificate was revoked.

We are using a 3rd party vendors OCSP service, and I am of the opinion that
an OCSP service should provide a revoked response regardless of the time
validity of the CRL.

I have read RFC 2560 & 6960 many times, and have not been able to find
explicit guidance on this scenario. I am interested in the community
opinion on this issue, and any pertinent mandatory guidance.

My end goal is either to convince our vendor to provide a revoked status
regardless of the CRLs expiration OR justify why an OCSP service should
ignore issuers with expired CRLs. I'm looking forward to any feedback

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151210/0b9ad628/attachment.html>

More information about the openssl-users mailing list