Wrong OpenSSL validation result for the unable_to_get_crl case

crocs-muni / usable-cert-validation

Research initiative to make TLS certificate validation usable.

https://x509errors.org

MIT License

19 stars 3 forks source link

Wrong OpenSSL validation result for the unable_to_get_crl case #127

Open zacikpa opened 2 years ago

zacikpa commented 2 years ago

OpenSSL does not return any error message for the unable_to_get_crl example chain. It should return X509_V_ERR_UNABLE_TO_GET_CRL.

Possible culprit might be the load_cert_crl_http function in validation/client/openssl/client.c. Its return value might not be processed properly.

mukrop commented 2 years ago

Nice catch, may be a possible bug in the library. Worth investigating.