Differential D47449

libfetch: allow to optionally verify CRL with SSL_CRL_OPTIONAL
AbandonedPublic
Actions

Authored by franco_opnsense.org on Tue, Nov 5, 12:53 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Thu, Nov 28, 6:30 PM

	Unknown Object (File)
	Sun, Nov 24, 5:35 AM

	Unknown Object (File)
	Sat, Nov 23, 11:50 AM

	Unknown Object (File)
	Sun, Nov 17, 12:49 AM

	Unknown Object (File)
	Thu, Nov 14, 3:31 PM

	Unknown Object (File)
	Tue, Nov 12, 11:31 PM

	Unknown Object (File)
	Mon, Nov 11, 9:29 PM

	Unknown Object (File)
	Mon, Nov 11, 9:02 AM

View All 13 Files

Subscribers

Details

Reviewers

michaelo
grembo

Summary

This works with both SSL_CRL_FILE and SSL_CRL_VERIFY. In the abensence
of a CRL distribution point OpenSSL by default assumes that a CRL does
exist anyway and will fail to validate when not given by the user.

This can be problematic when it is unclear which host is going to be
connected and how the chain is constructed. In edge cases this ensures
CRLs to be checked as they are (or are not) publicly distributed.

Also see: https://openssl-users.openssl.narkive.com/qKrxQx5U/certificate-crls-x509-v-err-unable-to-get-crl

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 60399
Build 57283: arc lint + arc unit

Event Timeline

franco_opnsense.org created this revision.Tue, Nov 5, 12:53 PM

Herald added a subscriber: imp. · View Herald TranscriptTue, Nov 5, 12:53 PM

franco_opnsense.org requested review of this revision.Tue, Nov 5, 12:53 PM

Harbormaster completed remote builds in B60399: Diff 146053.Tue, Nov 5, 12:53 PM

franco_opnsense.org added reviewers: michaelo, grembo.Tue, Nov 5, 12:53 PM

franco_opnsense.org mentioned this in D47433: libfetch: allow use of SSL_CRL_VERIFY.Tue, Nov 5, 1:25 PM

franco_opnsense.org abandoned this revision.Fri, Nov 8, 9:38 AM

Revision Contents
Changeset List

Path

Size

lib/

libfetch/

30 lines

5 lines

Diff 146053

lib/libfetch/common.c

Loading...

lib/libfetch/fetch.3

Loading...