Page MenuHomeFreeBSD

libfetch: allow to optionally verify CRL with SSL_CRL_OPTIONAL
AbandonedPublic

Authored by franco_opnsense.org on Nov 5 2024, 12:53 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Oct 7, 4:16 PM
Unknown Object (File)
Sep 4 2025, 12:49 AM
Unknown Object (File)
Aug 28 2025, 4:19 AM
Unknown Object (File)
Aug 28 2025, 12:04 AM
Unknown Object (File)
Aug 28 2025, 12:04 AM
Unknown Object (File)
Aug 28 2025, 12:02 AM
Unknown Object (File)
Aug 13 2025, 7:21 AM
Unknown Object (File)
Jul 6 2025, 1:52 PM
Subscribers

Details

Reviewers
michaelo
grembo
Summary

This works with both SSL_CRL_FILE and SSL_CRL_VERIFY. In the abensence
of a CRL distribution point OpenSSL by default assumes that a CRL does
exist anyway and will fail to validate when not given by the user.

This can be problematic when it is unclear which host is going to be
connected and how the chain is constructed. In edge cases this ensures
CRLs to be checked as they are (or are not) publicly distributed.

Also see: https://openssl-users.openssl.narkive.com/qKrxQx5U/certificate-crls-x509-v-err-unable-to-get-crl

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 60399
Build 57283: arc lint + arc unit