[PATCH] SSL: Added crl_check_mode

Maxim Dounin mdounin at mdounin.ru
Thu Mar 9 17:56:03 UTC 2017


On Wed, Mar 08, 2017 at 06:12:32PM +0200, Jürno Ader wrote:

> # HG changeset patch
> # User Jürno Ader <jyrno42 at gmail.com>
> # Date 1488987398 -7200
> #      Wed Mar 08 17:36:38 2017 +0200
> # Node ID 9c13ae0d54a75902945bc6ac9bbced1c298fdaa0
> # Parent  d450723755728f9d0cc291247b9601e2f3340f19
> SSL: Added crl_check_mode
> Added crl_check_mode flag which can be used to modify flags used for
> the X509_STORE created in ngx_ssl_crl.
> This makes it possible to use Estonian Identity card revocation lists with
> nginx (see https://trac.nginx.org/nginx/ticket/1094) which previously failed
> since the root certificate for ESTEID does not have a proper CRL available.

Just for the record: I've again looked at this, and it seems the 
problem with the CRL is as follows:

The root certificate, "EE Certification Centre Root CA", has a CRL 
available at http://www.sk.ee/repository/crls/eeccrca.crl.  This 
CRL lists Issuing Distrubution Point extension as follows:

            X509v3 Issuing Distrubution Point: critical
                Full Name:

But there are no CRL Distribution Points in the certificate itself.  
As a result, OpenSSL refuses to to use this CRL when it tries to 
verify more than just a leaf certificate, for example:

$ openssl verify -CAfile EE_Certification_Centre_Root_CA.pem.crt -CRLfile eeccrca.crl.pem -crl_check_all KLASS3-SK_2010_EECCRCA_SHA384.pem.crt
KLASS3-SK_2010_EECCRCA_SHA384.pem.crt: C = EE, O = AS Sertifitseerimiskeskus, CN = EE Certification Centre Root CA, emailAddress = pki at sk.ee
error 44 at 1 depth lookup:Different CRL scope

This probably should be reported to the sk.ee team, likely they 
want to fix this.  Simply removing the IDP extension from the CRL 
should do the trick.


Maxim Dounin

More information about the nginx-devel mailing list