Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
On Tuesday 30 August 2011 12:29:23 Raphael Geissert wrote:
> AFAIR they only know about CRL (Certificate Revocation List,) which only
> allows for one issuer per-file.
>
> What I can't tell for sure from the documentation is whether OpenSSL and
> GnuTLS do check the CRL's validity (signature and time.) It doesn't seem
> like they do.
> This is relevant if we were to ship them in ca-certificates.
Just for future reference, after further investigation:
OpenSSL _does_ check the CRL's signature. CRLs should be available, via
symlinks for example, in /etc/ssl/certs[1] and c_rehash run on that directory.
Applications using OpenSSL may instruct it to load the CRLs in two different
ways: by manually loading every single CRL, or by adding the /etc/ssl/certs
path to the X509 store.
However, failure to find a CRL for the signer's cert results in validation
failure. What I still haven't verified is that if the presence or absence of
the CRL Distribution Points leads to a behaviour change (I'd assume it
doesn't.)
GnuTLS does seem to require that every CRL is loaded. Haven't tested its
behaviours.
[1] A different directory may be used, but for compatibility with openssl(1)
the same directory should be used.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Reply to: