Page MenuHomeFreeBSD
Differential D47449

libfetch: allow to optionally verify CRL with SSL_CRL_OPTIONAL
AbandonedPublic
Actions

Authored by franco_opnsense.org on Nov 5 2024, 12:53 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Oct 7, 4:16 PM
Unknown Object (File)
Sep 4 2025, 12:49 AM
Unknown Object (File)
Aug 28 2025, 4:19 AM
Unknown Object (File)
Aug 28 2025, 12:04 AM
Unknown Object (File)
Aug 28 2025, 12:04 AM
Unknown Object (File)
Aug 28 2025, 12:02 AM
Unknown Object (File)
Aug 13 2025, 7:21 AM
Unknown Object (File)
Jul 6 2025, 1:52 PM
View All 42 Files
Subscribers
imp

Details

Reviewers
michaelo
grembo
Summary

This works with both SSL_CRL_FILE and SSL_CRL_VERIFY. In the abensence
of a CRL distribution point OpenSSL by default assumes that a CRL does
exist anyway and will fail to validate when not given by the user.

This can be problematic when it is unclear which host is going to be
connected and how the chain is constructed. In edge cases this ensures
CRLs to be checked as they are (or are not) publicly distributed.

Also see: https://openssl-users.openssl.narkive.com/qKrxQx5U/certificate-crls-x509-v-err-unable-to-get-crl

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 60399
Build 57283: arc lint + arc unit

Revision Contents
Changeset List

PathSize
lib/
libfetch/
30 lines
5 lines

Diff 146053

View Options

lib/libfetch/common.c

Loading...
View Options

lib/libfetch/fetch.3

Loading...