Open fffonion opened 4 years ago
@daurnimator If we set the X509_V_FLAG_CRL_CHECK flag but no CRL is added to the store, the verification will always fail with unable to get certificate CRL
and this might break existing application. But it's also true that if some applications relies on the current behaviour that CRL never got checked even if it's added, they will also break, although they shouldn't in the first place.
I agree exposing it will be a sane approach regarding breaking changes, though there'll be more diff. I can make that change it it's okay.
I agree exposing it will be a sane approach regarding breaking changes, though there'll be more diff. I can make that change it it's okay.
would it make sense to expose all the verification flags? X509_V_FLAG_CRL_CHECK
/X509_V_FLAG_CRL_CHECK_ALL
/X509_V_FLAG_EXTENDED_CRL_SUPPORT
/X509_V_FLAG_EXTENDED_CRL_SUPPORT
/etc.
Yeah good point to expose all CRL verification flags.
Why wouldn't we turn this on all the time? Or expose it so a user can turn the flag on/off as they want?