Hello!

On Wed, Mar 08, 2017 at 06:12:32PM +0200, Jürno Ader wrote:

> # HG changeset patch
> # User Jürno Ader <jyrno42@gmail.com>
> # Date 1488987398 -7200
> # Wed Mar 08 17:36:38 2017 +0200
> # Node ID 9c13ae0d54a75902945bc6ac9bbced1c298fdaa0
> # Parent d450723755728f9d0cc291247b9601e2f3340f19
> SSL: Added crl_check_mode
>
> Added crl_check_mode flag which can be used to modify flags used for
> the X509_STORE created in ngx_ssl_crl.
>
> This makes it possible to use Estonian Identity card revocation lists with
> nginx (see https://trac.nginx.org/nginx/ticket/1094) which previously failed
> since the root certificate for ESTEID does not have a proper CRL available.

Just for the record: I've again looked at this, and it seems the
problem with the CRL is as follows:

The root certificate, "EE Certification Centre Root CA", has a CRL
available at http://www.sk.ee/repository/crls/eeccrca.crl. This
CRL lists Issuing Distrubution Point extension as follows:

X509v3 Issuing Distrubution Point: critical
Full Name:
URI:http://www.sk.ee/repository/crls/eeccrca.crl

But there are no CRL Distribution Points in the certificate itself.
As a result, OpenSSL refuses to to use this CRL when it tries to
verify more than just a leaf certificate, for example:

$ openssl verify -CAfile EE_Certification_Centre_Root_CA.pem.crt -CRLfile eeccrca.crl.pem -crl_check_all KLASS3-SK_2010_EECCRCA_SHA384.pem.crt
KLASS3-SK_2010_EECCRCA_SHA384.pem.crt: C = EE, O = AS Sertifitseerimiskeskus, CN = EE Certification Centre Root CA, emailAddress = pki@sk.ee
error 44 at 1 depth lookup:Different CRL scope

This probably should be reported to the sk.ee team, likely they
want to fix this. Simply removing the IDP extension from the CRL
should do the trick.

[...]

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel