[openssl-users] Anyone using cert verification with indirect crls?

weber at infotech.de weber at infotech.de
Wed Apr 20 11:50:41 UTC 2016

Dear OpenSSL users,

currently using openssl version 1.0.1d on Win32 and Linux and we're 
about to use
indirect crls. The main intent is to keep the RCAs secrets in a vault.

Since we found no commandline support for this, we wrote a class to 
generate the needed
crls. Verifying a end-entity cert we found some unexpected behavior. The 
put a request to the
opessl-dev list yesterday (subject "[openssl-dev] Possible deficiency 
verifying with indirect crl")
which is currently without response.

Next surprise arose when it came to path validation of the crl issuers 
cert. Firstly the chain
could not be built since the method to access the trusted certs list was 
not in place. So we
copied the method and the pointer to the stack of trusted certs into the 
temporary context
within the function check_crl_path.

Did i miss something or is anyone interested in discussing these 
measures or even successfully
using verification with indirect crls?

BTW: The current version, 1.0.1g, seems to make no difference in 
behavior since the relevant
portions of the code seem to be untouched.

Thanks in advance
Christian Weber

More information about the openssl-users mailing list