[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA

On Tuesday 30 August 2011 12:29:23 Raphael Geissert wrote:
> AFAIR they only know about CRL (Certificate Revocation List,) which only
> allows for one issuer per-file.
> 
> What I can't tell for sure from the documentation is whether OpenSSL and
> GnuTLS do check the CRL's validity (signature and time.) It doesn't seem
> like they do.
> This is relevant if we were to ship them in ca-certificates.

Just for future reference, after further investigation:

OpenSSL _does_ check the CRL's signature. CRLs should be available, via 
symlinks for example, in /etc/ssl/certs[1] and c_rehash run on that directory. 
Applications using OpenSSL may instruct it to load the CRLs in two different 
ways: by manually loading every single CRL, or by adding the /etc/ssl/certs 
path to the X509 store.
However, failure to find a CRL for the signer's cert results in validation 
failure. What I still haven't verified is that if the presence or absence of 
the CRL Distribution Points leads to a behaviour change (I'd assume it 
doesn't.)

GnuTLS does seem to require that every CRL is loaded. Haven't tested its 
behaviours.

[1] A different directory may be used, but for compatibility with openssl(1) 
the same directory should be used.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Reply to: