I have found a commit in a different project that mentions a curl bug - and I think this bug is currently not known to the curl team: puppetlabs/leatherman@e7338b3
Curl 7.68 has a bug where it defaults to passing X509_V_FLAG_PARTIAL_CHAIN to openssl. This breaks CRL chains, since the crl logic passes X509_V_FLAG_CRL_CHECK_ALL, which requires a full chain.
We disable partial chains explicitly here to work around this.
So probably CURLOPT_CRLFILE does not work anymore with the default settings, it works only if CURLOPT_SSL_OPTIONS is used with CURLSSLOPT_NO_PARTIALCHAIN.
We should verify this, search a workaround, or document it in the KNOWN_BUGS file.
The text was updated successfully, but these errors were encountered:
Ack. Seems like an OpenSSL bug they've had open for over a year and projects are doing this work-around for. I does have the nasty side-effect that just because you use the CRL option you also can't do partial chains when verifying a cert...
I have found a commit in a different project that mentions a curl bug - and I think this bug is currently not known to the curl team: puppetlabs/leatherman@e7338b3
I also found the corresponding OpenSSL bug: openssl/openssl#5081
So probably
CURLOPT_CRLFILE
does not work anymore with the default settings, it works only ifCURLOPT_SSL_OPTIONS
is used withCURLSSLOPT_NO_PARTIALCHAIN
.We should verify this, search a workaround, or document it in the KNOWN_BUGS file.
The text was updated successfully, but these errors were encountered: