'Re: [openssl-users] X509 CRLs'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    Re: [openssl-users] X509 CRLs
From:       Erwann Abalea <erwann.abalea () keynectis ! com>
Date:       2013-08-27 17:49:48
Message-ID: 521CE6BC.4070703 () keynectis ! com
[Download RAW message or body]

Bonjour,

Le 27/08/2013 18:14, Thaddeus Fuller a écrit :
> Hello all,
> 
> I had a couple questions about X509 CRLs.
> 
> 1) It appears that OpenSSL does not check my tree against the CRLs I provide. If I \
> revoke my own leaf certificate, and establish mutually-authenticated SSL, OpenSSL \
> does not prevent the connection from going through. However if I revoke the peer's \
> leaf certificate, it will fail with the revoked certificate error. Is this by \
> intention? Should I manually check my tree against the CRL before allowing the user \
> to establish a connection?

If A needs to authenticate itself to B, then A presents its own 
certificate, and B must validate A's certificate: correct chaining and 
revocation status.
A doesn't need to check that its own certificate isn't revoked before 
trying to send it to B, that's B's duty.

> 2) Can a child CA revoke a parent CA? If I import a CRL to my system, should I \
> check only the children of the CA for a matching serial and mark that certificate \
> "Revoked", or should I also check the parents for revocation? What about a \
> certificate that is signed by a parent, but isn't in the child's chain?

A child CA cannot revoke a parent CA, of course. The revocation status 
check should be done for each certificate in the chain (except the root, 
for not so obvious reasons).

> Two example PKI trees:
> A -> B -> C -> D
> A -> E -> F -> G
> 
> Let's say that certificate authority "B" imports a CRL. Which certificates should \
> be checked for revocation?

If you want to verify certificate D, then you must verify its revocation 
status regarding to a CRL produced by C. And then you must verify C's 
revocation status according to the CRL produced by B. And finally you 
must verify B's revocation status according to the CRL produced by A.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic