Anyone using cert verification with indirect crls?
Dear OpenSSL users,
currently using openssl version 1.0.1d on Win32 and Linux and we're
about to use
indirect crls. The main intent is to keep the RCAs secrets in a vault.
Since we found no commandline support for this, we wrote a class to
generate the needed
crls. Verifying a end-entity cert we found some unexpected behavior. The
put a request to the
opessl-dev list yesterday (subject "[openssl-dev] Possible deficiency
verifying with indirect crl")
which is currently without response.
Next surprise arose when it came to path validation of the crl issuers
cert. Firstly the chain
could not be built since the method to access the trusted certs list was
not in place. So we
copied the method and the pointer to the stack of trusted certs into the
within the function check_crl_path.
Did i miss something or is anyone interested in discussing these
measures or even successfully
using verification with indirect crls?
BTW: The current version, 1.0.1g, seems to make no difference in
behavior since the relevant
portions of the code seem to be untouched.