[PATCH] SSL: Added crl_check_mode
mdounin at mdounin.ru
Thu Mar 9 17:56:03 UTC 2017
On Wed, Mar 08, 2017 at 06:12:32PM +0200, Jürno Ader wrote:
> # HG changeset patch
> # User Jürno Ader <jyrno42 at gmail.com>
> # Date 1488987398 -7200
> # Wed Mar 08 17:36:38 2017 +0200
> # Node ID 9c13ae0d54a75902945bc6ac9bbced1c298fdaa0
> # Parent d450723755728f9d0cc291247b9601e2f3340f19
> SSL: Added crl_check_mode
> Added crl_check_mode flag which can be used to modify flags used for
> the X509_STORE created in ngx_ssl_crl.
> This makes it possible to use Estonian Identity card revocation lists with
> nginx (see https://trac.nginx.org/nginx/ticket/1094) which previously failed
> since the root certificate for ESTEID does not have a proper CRL available.
Just for the record: I've again looked at this, and it seems the
problem with the CRL is as follows:
The root certificate, "EE Certification Centre Root CA", has a CRL
available at http://www.sk.ee/repository/crls/eeccrca.crl. This
CRL lists Issuing Distrubution Point extension as follows:
X509v3 Issuing Distrubution Point: critical
But there are no CRL Distribution Points in the certificate itself.
As a result, OpenSSL refuses to to use this CRL when it tries to
verify more than just a leaf certificate, for example:
$ openssl verify -CAfile EE_Certification_Centre_Root_CA.pem.crt -CRLfile eeccrca.crl.pem -crl_check_all KLASS3-SK_2010_EECCRCA_SHA384.pem.crt
KLASS3-SK_2010_EECCRCA_SHA384.pem.crt: C = EE, O = AS Sertifitseerimiskeskus, CN = EE Certification Centre Root CA, emailAddress = pki at sk.ee
error 44 at 1 depth lookup:Different CRL scope
This probably should be reported to the sk.ee team, likely they
want to fix this. Simply removing the IDP extension from the CRL
should do the trick.
More information about the nginx-devel