Strange CRL verification behaviour

Strange CRL verification behaviour

am 03.02.2009 19:12:00 von Christophe Nanteuil

--001636b430fb8768170462079b06
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Hello,
I am a stunnel user, which implements code from mod_ssl for
certificate/CRL verifications.
I noticed a strange behaviour when verifying a CRL which uses the
ssl_callback_SSLVerify_CRL function of mod_ssl :

If the CRLfile is not a valid CRL, stunnel starts and ignores the CRLfile.
Then, for any new connection, logs show "CRL: verification passed",
which means that ssl_callback_SSLVerify_CRL returned TRUE.
-> NOT OK, IMO.

examples of wrong CRLs : a CRL issued by an unknown CA or a
certificate in the PEM format.

I propose the attached patch to modify behaviour of the
ssl_callback_SSLVerify_CRL function, ie return false if no CRL
corresponding to the issuer of each certificate of the chain is found.

--
Christophe Nanteuil

--001636b430fb8768170462079b06
Content-Type: text/x-patch; charset=US-ASCII; name="ssl_mod-crl.patch"
Content-Disposition: attachment; filename="ssl_mod-crl.patch"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_fqqvy4na1

LS0tIHNzbF9lbmdpbmVfa2VybmVsLmMuc2F2ZWQJMjAwOS0wMi0wMyAxODo0 Nzo1MS4wMDAwMDAw
MDAgKzAxMDAKKysrIHNzbF9lbmdpbmVfa2VybmVsLmMJMjAwOS0wMi0wMyAx ODo1NToxMi4wMDAw
MDAwMDAgKzAxMDAKQEAgLTE2MTUsNiArMTYxNSw3IEBACiAgICAgY2hhciAq Y3A7CiAgICAgY2hh
ciAqY3AyOwogICAgIEFTTjFfVElNRSAqdDsKKyAgICBCT09MIGdvb2RfY3Js ID0gRkFMU0U7CiAK
ICAgICAvKgogICAgICAqIFVubGVzcyBhIHJldm9jYXRpb24gc3RvcmUgZm9y IENSTHMgd2FzIGNy
ZWF0ZWQgd2UKQEAgLTE3MjQsNiArMTcyNSw3IEBACiAgICAgICAgICAgICBy ZXR1cm4gRkFMU0U7
CiAgICAgICAgIH0KICAgICAgICAgWDUwOV9PQkpFQ1RfZnJlZV9jb250ZW50 cygmb2JqKTsKKyAg
ICAgICAgZ29vZF9jcmwgPSBUUlVFOwogICAgIH0KIAogICAgIC8qCkBAIC0x NzY0LDggKzE3NjYs
OSBAQAogICAgICAgICAgICAgfQogICAgICAgICB9CiAgICAgICAgIFg1MDlf T0JKRUNUX2ZyZWVf
Y29udGVudHMoJm9iaik7CisgICAgICAgIGdvb2RfY3JsID0gVFJVRTsKICAg ICB9Ci0gICAgcmV0
dXJuIG9rOworICAgIHJldHVybiAoZ29vZF9jcmw/b2s6RkFMU0UpOwogfQog CiAvKgo=
--001636b430fb8768170462079b06--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org