8

The reference book that I'm working from (Network Security with OpenSSL, by Viega, Messier, and Chandra), on page 133, states:

[...] an application must load CRL files in order for the internal verification process to ensure each certificate it verifies is not revoked. Unfortunately, OpenSSL's CRL functionality is incomplete in version 0.9.6. The features necessary to utilize CRL information will be complete in new versions starting with 0.9.7. [...]

I can't find any usable information about it in the OpenSSL documentation (no surprise there). It seems to me that checking the CRLs should be an automatic part of OpenSSL's verification process. Are CRLs handled automatically now, or must I still go through all the garbage listed in the book to laboriously verify that a certificate hasn't been revoked?

A closely-related question: does the SSL_CTX_set_default_verify_paths function load CRL paths too?

Head Geek
  • 38,128
  • 22
  • 77
  • 87

2 Answers2

8

The accepted answer doesn't quite work in libssl v0.9.8o. Although the code matches that at the bottom of the page in the online docs as of 2011/06/23:

http://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_flags.html

I used this code:

X509_STORE *store = getStore();

// Enable CRL checking
X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
X509_STORE_set1_param(store, param);
X509_VERIFY_PARAM_free(param);

Notice the use of X509_STORE rather than SSL_CTX to set the parameter.

EDIT: One further thing to note with OpenSSL and CRLs. If you enable a CRL on a context any certificate whos CA does not have a CRL will be rejected. There's no way, as far as I know, to get OpenSSL to only apply CRLs to certs from CAs listed in the CRLs it has.

I ran in to this problem and wasted a lot of time trying to figure out why my certificate was not being accepted when it was perfectly valid. The issue was that I had added a CRL for one CA but not for another. All certs from the CA which had no CRL were being rejected. OpenSSL is all or nothing in this respect.

jcoffland
  • 5,238
  • 38
  • 43
7

SSL_CTX_set_default_verify_paths() just loads CA paths, not CRLs.

I believe (though I have not yet actually implemented it myself) that the correct process is:

/* Load CRLs into the `X509_STORE` */

X509_STORE *x509_store = SSL_CTX_get_cert_store(ctx);
X509_STORE_add_crl(x509_store, crl);

/* Enable CRL checking */
X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
SSL_CTX_set1_param(ctx, param);
X509_VERIFY_PARAM_free(param);
caf
  • 233,326
  • 40
  • 323
  • 462