Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

An expired CRL should not override a successful match in other CRL #7476

Merged
merged 2 commits into from
May 7, 2024
Merged

An expired CRL should not override a successful match in other CRL #7476

merged 2 commits into from
May 7, 2024

Conversation

per-allansson
Copy link
Contributor

Description

If we have an expired CRL and loads another non-expired CRL, the current CRL check ends up returning the error from checking the CRL next date, while it found a good CRL match before that. This can be seen happening in wolfSSL debug logs here for example:

[2024-04-26T05:45:57.017Z] Info : [Gothenburg 1] Entering CheckCertCRL
[2024-04-26T05:45:57.017Z] Info : [Gothenburg 1] Found CRL Entry on list
[2024-04-26T05:45:57.017Z] Info : [Gothenburg 1] Checking next date validity
[2024-04-26T05:45:57.018Z] Info : [Gothenburg 1] Found CRL Entry on list
[2024-04-26T05:45:57.018Z] Info : [Gothenburg 1] Checking next date validity
[2024-04-26T05:45:57.018Z] Info : [Gothenburg 1] Date AFTER check failed
[2024-04-26T05:45:57.018Z] Info : [Gothenburg 1] CRL next date is no longer valid
[2024-04-26T05:45:57.018Z] Info : [Gothenburg 1]        CRL check not ok
 ...
[2024-04-26T05:45:57.018Z] Info : [Gothenburg 1] verify_callback err: -151

Testing

Verified in internal tests.

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@wolfSSL-Bot
Copy link

Can one of the admins verify this patch?

@dgarske
Copy link
Contributor

dgarske commented Apr 26, 2024

Okay to test. Contributor agreement on file.

SparkiDev
SparkiDev requested changes Apr 29, 2024
View reviewed changes
src/crl.c Show resolved Hide resolved
@SparkiDev SparkiDev assigned per-allansson and unassigned SparkiDev Apr 29, 2024
@per-allansson per-allansson removed their assignment May 2, 2024
SparkiDev
SparkiDev requested changes May 2, 2024
View reviewed changes
src/crl.c Outdated Show resolved Hide resolved
@SparkiDev SparkiDev self-assigned this May 7, 2024
@SparkiDev SparkiDev merged commit 52861cb into wolfSSL:master May 7, 2024
114 checks passed
@per-allansson per-allansson deleted the one-crl-to-rule-them-all branch May 17, 2024 11:16
jefferyq2 pushed a commit to jefferyq2/wolfssl that referenced this pull request Jun 9, 2024
@SparkiDev @jefferyq2
Merge pull request wolfSSL#7476 from per-allansson/one-crl-to-rule-th…
d9ac102 
…em-all

An expired CRL should not override a successful match in other CRL
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SparkiDev SparkiDev SparkiDev approved these changes

Assignees

@wolfSSL-Bot wolfSSL-Bot

@SparkiDev SparkiDev

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@per-allansson @wolfSSL-Bot @dgarske @SparkiDev