You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Nicob <ni...@nicob.net> on 2008/09/15 22:16:24 UTC

Re: CRL verification in mod_ssl

Le samedi 30 août 2008 à 14:50 +0200, Nicob a écrit :
> It implements the matching on the Authority DN (vs. Authority
> Key ID actually) during client certificate verification against a CRL
> *and* a required test during CRL validation, as described in paragraph
> 6.3.3 of RFC 3280

So, do you think that this patch could be included ?

If not, I plan to open two bug reports :
- one about the matching on the Authority DN (missing feature)
- one about the non verification of the key usage of the issuer
(security bug)

Note about the patch : it could also check at line 68 the return value
of BIO_read() before writing the NULL, even if this code is executed
only in debug mode.

Regards,
Nicob