- Chris Mumford filed bug report #2861587

(http://curl.haxx.se/bug/view.cgi?id=2861587) identifying that libcurl used
  the OpenSSL function X509_load_crl_file() wrongly and failed if it would
  load a CRL file with more than one certificate within. This is now fixed.
This commit is contained in:
Daniel Stenberg 2009-09-25 18:09:38 +00:00
parent 15be441ad8
commit e3d623f190
3 changed files with 10 additions and 3 deletions

View File

@ -6,6 +6,12 @@
Changelog
Daniel Stenberg (25 Sep 2009)
- Chris Mumford filed bug report #2861587
(http://curl.haxx.se/bug/view.cgi?id=2861587) identifying that libcurl used
the OpenSSL function X509_load_crl_file() wrongly and failed if it would
load a CRL file with more than one certificate within. This is now fixed.
Daniel Stenberg (16 Sep 2009)
- Sven Anders reported that we introduced a cert verfication flaw for OpenSSL-
powered libcurl in 7.19.6. If there was a X509v3 Subject Alternative Name

View File

@ -29,6 +29,7 @@ This release includes the following bugfixes:
o improved NSS detection in configure
o cookie expiry date at 1970-jan-1 00:00:00
o libcurl-OpenSSL failed to verify some certs with Subject Alternative Name
o libcurl-OpenSSL can load CRL files with more than one certificate inside
This release includes the following known bugs:
@ -39,6 +40,6 @@ advice from friends like these:
Karl Moerder, Kamil Dudka, Krister Johansen, Andre Guibert de Bruet,
Michal Marek, Eric Wong, Guenter Knauf, Peter Sylvester, Daniel Johnson,
Claes Jakobsson, Sven Anders
Claes Jakobsson, Sven Anders, Chris Mumford
Thanks! (and sorry if I forgot to mention someone)

View File

@ -1536,8 +1536,8 @@ ossl_connect_step1(struct connectdata *conn,
* revocation */
lookup=X509_STORE_add_lookup(connssl->ctx->cert_store,X509_LOOKUP_file());
if ( !lookup ||
(X509_load_crl_file(lookup,data->set.str[STRING_SSL_CRLFILE],
X509_FILETYPE_PEM)!=1) ) {
(!X509_load_crl_file(lookup,data->set.str[STRING_SSL_CRLFILE],
X509_FILETYPE_PEM)) ) {
failf(data,"error loading CRL file :\n"
" CRLfile: %s\n",
data->set.str[STRING_SSL_CRLFILE]?