Correct usage of X509_LOOKUP_hash_dir?

[Andrew Lynch]

Hi,

I am investigating some trouble we are having with an attempt to "automatically" reload CRLs in an stunnel configuration.

Previously a single CRLfile was configured containing multiple CRLs, but this requires a reload of the stunnel configuration whenever one of the CRLs changes (which can happen quite often in this environment).  Now we have switched to a CRLpath containing individual CRL files with hashed filenames.  I have verified that stunnel uses X509_LOOKUP_hash_dir in this case, for which the manual page states that OpenSSL "checks for newer CRLs upon each lookup".  But updates to any of the CRLs are not being reflected in stunnel behaviour without an explicit reload/restart.  I am trying to understand if we are missing some steps or if our expectation is wrong.

This is all on a SLES 12 system, so stunnel 5.00 with OpenSSL 1.0.2p-fips.

Scenario 1:  The new CRL file replaces the old with same filename.  The symlink with the hashed name stays the same but now points to an updated CRL with higher CRL Number.
Scenario 2:  The new CRL file is placed with a new filename and the rehash utility creates an additional symlink ending in .r1.  There are now two versions of the same CRL with different CRL Number.

In both cases a client certificate that has just been revoked on the new CRL is still accepted by stunnel.  Only after an explicit config reload (SIGHUP) the certificate is rejected.  Our expectation is that OpenSSL would notice the newer CRL and use it during the lookup.

Stunnel calls X509_STORE_get_by_subject() with the issuer of the client certificate to retrieve the CRL.  The store has been set up with X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir()) followed by X509_LOOKUP_add_dir().

Regards,
Andrew.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230526/f3739c30/attachment-0001.htm>