Deleted client certificate trust expectations

Dan Freed dfreed at
Wed Nov 11 23:28:46 UTC 2020

Thanks for the help. This got me on the right track.


From: openssl-users <openssl-users-bounces at>
Date: Wednesday, November 11, 2020 at 12:02 PM
To: openssl-users at <openssl-users at>
Subject: Re: Deleted client certificate trust expectations
External Mail. Careful of links / attachments. Submit Helpdesk if unsure.

On Wed, Nov 11, 2020 at 04:28:40PM +0000, Dan Freed wrote:

> I have a question/issue about how OpenSSL should handle a deleted
> client certificate. It appears that once a trusted certificate is read
> from the filesystem, it remains trusted throughout the lifespan of the
> server process.

The built-in trust stores (code behind CAfile and CApath) are caching
stores.  They use an in memory cache of trusted certificates that is
pre-loaded in the case of CAfile, and demand-loaded on a cache miss in
the case of CApath.  Once a certificate is loaded, it remains in the
cache.  The cache is part of the X509_STORE object that is associated
with the SSL_CTX.

Though I don't see it exposed in the Perl API, it is possible to flush
the X509_STORE cache by calling:

    SSL_CTX *ctx;
    X509_STORE *store;
    STACK_OF(X509) *objs;
    X509 *x;

    store = SSL_CTX_get_cert_store(ctx);
    st = X509_STORE_get0_objects(store);
    while ((x = sk_X509_pop(st)) != NULL)

An application that uses only CApath and does not wish to cache trusted
certificates indefinitely, can use this to flush the cache.  Note that
this does not work well with CAfile, since the file is read just once,
so you'd need to explicitly reload the CAfile:

    lookup = X509_STORE_add_lookup(ctx, X509_LOOKUP_file());
    if (lookup == NULL)
        return 0;
    if (X509_LOOKUP_load_file(lookup, file, X509_FILETYPE_PEM) != 1)
        return 0;

But keep in mind that X509_LOOKUP_load_file is not atomic, it adds
certificates to the store one at a time.  Therefore flushing and
reloading the store should happen in the same thread and should not
happen concurrently in multiple threads.

A sufficiently sophisticated user can of course add a custom store
that uses no cache, or a more sophisticated cache with expiration
times, ...

> My understanding of how this should work was that it should read the
> contents of that directory at the time the verify takes place, not
> when CTX_set_verify() is called, but that doesn't seem to be what is
> happening.

The directory content is (partly) cached, with the cache growing
incrementally as additional certificates are loaded.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list