[stunnel-users] crl next update field functionality seems incorrect

Steve Hoffman shoffman at cleversafe.com
Tue Feb 3 22:53:30 CET 2009

Regarding this piece of code in verify.c:

        if(X509_cmp_current_time(next_update)<0) {
            s_log(LOG_WARNING, "Found CRL is expired - "
                "revoking all certificates until you get updated CRL");
            X509_STORE_CTX_set_error(callback_ctx, X509_V_ERR_CRL_HAS_EXPIRED);
            return 0; /* reject connection */

I don't believe this is correct functionality.  The "next update" field is not an expiration of the CRL, but more of an indicator that you, as the holder of the CRL, should obtain a new one.

Snippet from this link:


About the "Next Update" Date

The browser uses the CRLs it has available to check the validity of certificates issued by the corresponding CAs. If a certificate is listed as revoked, the browser won't accept it as evidence of identity.

A CA typically publishes an updated CRL at regular intervals. Every CRL includes a date, specified in the Next Update field, by which the CA will publish the next update of that CRL. In general, if the date in the Next Update field is earlier than the current date, you should obtain the most recent version of the CRL. To view CRL information and set up automatic CRL updating, see Viewing and Managing CRLs.

CAs are required to produce a new CRL by the Next Update date. However, the absence of the most recent CRL does not by itself invalidate a certificate. For this reason, if the most recent CRL is not available, a certificate may be validated even though the most recent CRL shows it as expired. Automatic CRL updating can help to avoid this situation.

I'd like to suggest removing this check.


More information about the stunnel-users mailing list