src/openssl.c: enable check for revocation if CRL is added to store

wahern / luaossl

Most comprehensive OpenSSL module in the Lua universe.

http://25thandclement.com/~william/projects/luaossl.html

Other

140 stars 49 forks source link

src/openssl.c: enable check for revocation if CRL is added to store #180

Open fffonion opened 4 years ago

daurnimator commented 4 years ago

Why wouldn't we turn this on all the time? Or expose it so a user can turn the flag on/off as they want?

fffonion commented 4 years ago

@daurnimator If we set the X509_V_FLAG_CRL_CHECK flag but no CRL is added to the store, the verification will always fail with unable to get certificate CRL and this might break existing application. But it's also true that if some applications relies on the current behaviour that CRL never got checked even if it's added, they will also break, although they shouldn't in the first place. I agree exposing it will be a sane approach regarding breaking changes, though there'll be more diff. I can make that change it it's okay.

daurnimator commented 4 years ago

I agree exposing it will be a sane approach regarding breaking changes, though there'll be more diff. I can make that change it it's okay.

would it make sense to expose all the verification flags? X509_V_FLAG_CRL_CHECK/X509_V_FLAG_CRL_CHECK_ALL/X509_V_FLAG_EXTENDED_CRL_SUPPORT/X509_V_FLAG_EXTENDED_CRL_SUPPORT/etc.

fffonion commented 4 years ago

Yeah good point to expose all CRL verification flags.