[PATCH] SSL: Added crl_check_mode

Maxim Dounin mdounin at mdounin.ru
Thu Mar 9 17:56:03 UTC 2017


Hello!

On Wed, Mar 08, 2017 at 06:12:32PM +0200, Jürno Ader wrote:

> # HG changeset patch
> # User Jürno Ader <jyrno42 at gmail.com>
> # Date 1488987398 -7200
> #      Wed Mar 08 17:36:38 2017 +0200
> # Node ID 9c13ae0d54a75902945bc6ac9bbced1c298fdaa0
> # Parent  d450723755728f9d0cc291247b9601e2f3340f19
> SSL: Added crl_check_mode
> 
> Added crl_check_mode flag which can be used to modify flags used for
> the X509_STORE created in ngx_ssl_crl.
> 
> This makes it possible to use Estonian Identity card revocation lists with
> nginx (see https://trac.nginx.org/nginx/ticket/1094) which previously failed
> since the root certificate for ESTEID does not have a proper CRL available.

Just for the record: I've again looked at this, and it seems the 
problem with the CRL is as follows:

The root certificate, "EE Certification Centre Root CA", has a CRL 
available at http://www.sk.ee/repository/crls/eeccrca.crl.  This 
CRL lists Issuing Distrubution Point extension as follows:

            X509v3 Issuing Distrubution Point: critical
                Full Name:
                  URI:http://www.sk.ee/repository/crls/eeccrca.crl

But there are no CRL Distribution Points in the certificate itself.  
As a result, OpenSSL refuses to to use this CRL when it tries to 
verify more than just a leaf certificate, for example:

$ openssl verify -CAfile EE_Certification_Centre_Root_CA.pem.crt -CRLfile eeccrca.crl.pem -crl_check_all KLASS3-SK_2010_EECCRCA_SHA384.pem.crt
KLASS3-SK_2010_EECCRCA_SHA384.pem.crt: C = EE, O = AS Sertifitseerimiskeskus, CN = EE Certification Centre Root CA, emailAddress = pki at sk.ee
error 44 at 1 depth lookup:Different CRL scope

This probably should be reported to the sk.ee team, likely they 
want to fix this.  Simply removing the IDP extension from the CRL 
should do the trick.

[...]

-- 
Maxim Dounin
http://nginx.org/


More information about the nginx-devel mailing list