diff --git a/CHANGES b/CHANGES index c9a34891e..395914854 100644 --- a/CHANGES +++ b/CHANGES @@ -6,6 +6,12 @@ Changelog +Daniel Stenberg (25 Sep 2009) +- Chris Mumford filed bug report #2861587 + (http://curl.haxx.se/bug/view.cgi?id=2861587) identifying that libcurl used + the OpenSSL function X509_load_crl_file() wrongly and failed if it would + load a CRL file with more than one certificate within. This is now fixed. + Daniel Stenberg (16 Sep 2009) - Sven Anders reported that we introduced a cert verfication flaw for OpenSSL- powered libcurl in 7.19.6. If there was a X509v3 Subject Alternative Name diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 6077ef25f..519587bc9 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -29,6 +29,7 @@ This release includes the following bugfixes: o improved NSS detection in configure o cookie expiry date at 1970-jan-1 00:00:00 o libcurl-OpenSSL failed to verify some certs with Subject Alternative Name + o libcurl-OpenSSL can load CRL files with more than one certificate inside This release includes the following known bugs: @@ -39,6 +40,6 @@ advice from friends like these: Karl Moerder, Kamil Dudka, Krister Johansen, Andre Guibert de Bruet, Michal Marek, Eric Wong, Guenter Knauf, Peter Sylvester, Daniel Johnson, - Claes Jakobsson, Sven Anders + Claes Jakobsson, Sven Anders, Chris Mumford Thanks! (and sorry if I forgot to mention someone) diff --git a/lib/ssluse.c b/lib/ssluse.c index 363c27a1e..2ea3b2f55 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -1536,8 +1536,8 @@ ossl_connect_step1(struct connectdata *conn, * revocation */ lookup=X509_STORE_add_lookup(connssl->ctx->cert_store,X509_LOOKUP_file()); if ( !lookup || - (X509_load_crl_file(lookup,data->set.str[STRING_SSL_CRLFILE], - X509_FILETYPE_PEM)!=1) ) { + (!X509_load_crl_file(lookup,data->set.str[STRING_SSL_CRLFILE], + X509_FILETYPE_PEM)) ) { failf(data,"error loading CRL file :\n" " CRLfile: %s\n", data->set.str[STRING_SSL_CRLFILE]?