Skip to content

CRLs and OpenSSL: CURLSSLOPT_NO_PARTIALCHAIN is needed #5374

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mkauf opened this issue May 11, 2020 · 1 comment
Closed

CRLs and OpenSSL: CURLSSLOPT_NO_PARTIALCHAIN is needed #5374

mkauf opened this issue May 11, 2020 · 1 comment
Labels
TLS

Comments

@mkauf
Copy link
Contributor

mkauf commented May 11, 2020

I have found a commit in a different project that mentions a curl bug - and I think this bug is currently not known to the curl team: puppetlabs/leatherman@e7338b3

Curl 7.68 has a bug where it defaults to passing X509_V_FLAG_PARTIAL_CHAIN to openssl. This breaks CRL chains, since the crl logic passes X509_V_FLAG_CRL_CHECK_ALL, which requires a full chain.

We disable partial chains explicitly here to work around this.

I also found the corresponding OpenSSL bug: openssl/openssl#5081

So probably CURLOPT_CRLFILE does not work anymore with the default settings, it works only if CURLOPT_SSL_OPTIONS is used with CURLSSLOPT_NO_PARTIALCHAIN.

We should verify this, search a workaround, or document it in the KNOWN_BUGS file.
@bagder bagder added the TLS label May 11, 2020
@bagder
Copy link
Member

bagder commented May 11, 2020

Ack. Seems like an OpenSSL bug they've had open for over a year and projects are doing this work-around for. I does have the nasty side-effect that just because you use the CRL option you also can't do partial chains when verifying a cert...

bagder added a commit that referenced this issue May 11, 2020
@bagder
OpenSSL: have CURLOPT_CRLFILE imply CURLSSLOPT_NO_PARTIALCHAIN
2568bd0 
... to avoid an OpenSSL bug that otherwise makes the CRL check to fail.

Reported-by: Michael Kaufmann
Fixes #5374
@bagder bagder mentioned this issue May 11, 2020
Closed
@bagder bagder closed this as completed in 81a54b1 May 13, 2020
@vhvb1989 vhvb1989 mentioned this issue Dec 27, 2021
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
TLS
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

OpenSSL: have CURLOPT_CRLFILE imply CURLSSLOPT_NO_PARTIALCHAIN curl/curl
2 participants
@bagder @mkauf