Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
This is the 2nd of 4 bugs in the tls_verify_crl() function. The code fails to perform a CRL lookup by issuer (as the comment right above the block states), it instead performs a second lookup by subject. As a result, in our tests, after crash bugs 1 and 4 (issue #858 and issue #861) were fixed, ProFTPD still failed to take into account a valid CRL and break a connection.
The patch is as follows:
At least two other pieces of similar code, which contain the same comment as this one, are getting it right:
FWIW, 4 years ago, stunnel got rid of custom CRL handling code and started relying on OpenSSL's built-in handling instead. That was between 5.23 and 5.24, compare src/verify.c from https://www.usenix.org.uk/mirrors/stunnel/archive/5.x/stunnel-5.23.tar.gz and https://www.usenix.org.uk/mirrors/stunnel/archive/5.x/stunnel-5.24.tar.gz .
I hit this issue in the summer of 2018, after fixing the two crashes (issue #858 and issue #861) when dealing with TLS CRLs using CentOS 7's ProFTPD 1.3.5e package against OpenSSL 1.0.2*.