- Chris Mumford filed bug report #2861587

(http://curl.haxx.se/bug/view.cgi?id=2861587) identifying that libcurl used the OpenSSL function X509_load_crl_file() wrongly and failed if it would load a CRL file with more than one certificate within. This is now fixed.
2024-11-11 20:15:03 -05:00 · 2009-09-25 18:09:38 +00:00 · 2009-09-25 18:09:38 +00:00 · e3d623f190
commit e3d623f190
parent 15be441ad8
3 changed files with 10 additions and 3 deletions
--- a/6
+++ b/6
@ -6,6 +6,12 @@

                                  Changelog

+Daniel Stenberg (25 Sep 2009)
+- Chris Mumford filed bug report #2861587
+  (http://curl.haxx.se/bug/view.cgi?id=2861587) identifying that libcurl used
+  the OpenSSL function X509_load_crl_file() wrongly and failed if it would
+  load a CRL file with more than one certificate within. This is now fixed.
+  
 Daniel Stenberg (16 Sep 2009)
 - Sven Anders reported that we introduced a cert verfication flaw for OpenSSL-
  powered libcurl in 7.19.6. If there was a X509v3 Subject Alternative Name
--- a/3
+++ b/3
@ -29,6 +29,7 @@ This release includes the following bugfixes:
 o improved NSS detection in configure
 o cookie expiry date at 1970-jan-1 00:00:00
 o libcurl-OpenSSL failed to verify some certs with Subject Alternative Name
+ o libcurl-OpenSSL can load CRL files with more than one certificate inside

 This release includes the following known bugs:

@ -39,6 +40,6 @@ advice from friends like these:

 Karl Moerder, Kamil Dudka, Krister Johansen, Andre Guibert de Bruet,
 Michal Marek, Eric Wong, Guenter Knauf, Peter Sylvester, Daniel Johnson,
- Claes Jakobsson, Sven Anders
+ Claes Jakobsson, Sven Anders, Chris Mumford

        Thanks! (and sorry if I forgot to mention someone)
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@ -1536,8 +1536,8 @@ ossl_connect_step1(struct connectdata *conn,
     * revocation */
    lookup=X509_STORE_add_lookup(connssl->ctx->cert_store,X509_LOOKUP_file());
    if ( !lookup ||
-         (X509_load_crl_file(lookup,data->set.str[STRING_SSL_CRLFILE],
-                             X509_FILETYPE_PEM)!=1) ) {
+         (!X509_load_crl_file(lookup,data->set.str[STRING_SSL_CRLFILE],
+                              X509_FILETYPE_PEM)) ) {
      failf(data,"error loading CRL file :\n"
            "  CRLfile: %s\n",
            data->set.str[STRING_SSL_CRLFILE]?