Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CRLs and OpenSSL: CURLSSLOPT_NO_PARTIALCHAIN is needed #5374

Closed
mkauf opened this issue May 11, 2020 · 1 comment
Closed

CRLs and OpenSSL: CURLSSLOPT_NO_PARTIALCHAIN is needed #5374

mkauf opened this issue May 11, 2020 · 1 comment
Labels

Comments

@mkauf
Copy link
Contributor

@mkauf mkauf commented May 11, 2020

I have found a commit in a different project that mentions a curl bug - and I think this bug is currently not known to the curl team: puppetlabs/leatherman@e7338b3

Curl 7.68 has a bug where it defaults to passing X509_V_FLAG_PARTIAL_CHAIN to openssl. This breaks CRL chains, since the crl logic passes X509_V_FLAG_CRL_CHECK_ALL, which requires a full chain.

We disable partial chains explicitly here to work around this.

I also found the corresponding OpenSSL bug: openssl/openssl#5081

So probably CURLOPT_CRLFILE does not work anymore with the default settings, it works only if CURLOPT_SSL_OPTIONS is used with CURLSSLOPT_NO_PARTIALCHAIN.

We should verify this, search a workaround, or document it in the KNOWN_BUGS file.

@bagder bagder added the SSL/TLS label May 11, 2020
@bagder
Copy link
Member

@bagder bagder commented May 11, 2020

Ack. Seems like an OpenSSL bug they've had open for over a year and projects are doing this work-around for. I does have the nasty side-effect that just because you use the CRL option you also can't do partial chains when verifying a cert...

bagder added a commit that referenced this issue May 11, 2020
... to avoid an OpenSSL bug that otherwise makes the CRL check to fail.

Reported-by: Michael Kaufmann
Fixes #5374
@bagder bagder closed this in 81a54b1 May 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

2 participants
You can’t perform that action at this time.