Differential D47449

libfetch: allow to optionally verify CRL with SSL_CRL_OPTIONAL
AbandonedPublic
Actions

Authored by franco_opnsense.org on Nov 5 2024, 12:53 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Sat, Feb 8, 8:28 AM

	Unknown Object (File)
	Sat, Feb 8, 8:28 AM

	Unknown Object (File)
	Jan 14 2025, 11:53 PM

	Unknown Object (File)
	Jan 2 2025, 4:32 AM

	Unknown Object (File)
	Dec 26 2024, 7:06 AM

	Unknown Object (File)
	Dec 26 2024, 6:51 AM

	Unknown Object (File)
	Dec 25 2024, 10:41 PM

	Unknown Object (File)
	Dec 15 2024, 5:23 PM

View All 23 Files

Subscribers

Details

Reviewers

michaelo
grembo

Summary

This works with both SSL_CRL_FILE and SSL_CRL_VERIFY. In the abensence
of a CRL distribution point OpenSSL by default assumes that a CRL does
exist anyway and will fail to validate when not given by the user.

This can be problematic when it is unclear which host is going to be
connected and how the chain is constructed. In edge cases this ensures
CRLs to be checked as they are (or are not) publicly distributed.

Also see: https://openssl-users.openssl.narkive.com/qKrxQx5U/certificate-crls-x509-v-err-unable-to-get-crl

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 60399
Build 57283: arc lint + arc unit

Event Timeline

franco_opnsense.org created this revision.Nov 5 2024, 12:53 PM

Herald added a subscriber: imp. · View Herald TranscriptNov 5 2024, 12:53 PM

franco_opnsense.org requested review of this revision.Nov 5 2024, 12:53 PM

Harbormaster completed remote builds in B60399: Diff 146053.Nov 5 2024, 12:53 PM

franco_opnsense.org added reviewers: michaelo, grembo.Nov 5 2024, 12:53 PM

franco_opnsense.org mentioned this in D47433: libfetch: allow use of SSL_CRL_VERIFY.Nov 5 2024, 1:25 PM

franco_opnsense.org abandoned this revision.Nov 8 2024, 9:38 AM

Revision Contents
Changeset List

Path

Size

lib/

libfetch/

30 lines

5 lines

Diff 146053

lib/libfetch/common.c

Loading...

lib/libfetch/fetch.3

Loading...