Loading...

XML

Word

Printable

JSON

Type: Task
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 5.0 Required, 8.1.0-rc0, 8.0.4, 7.0.16, 6.0.20
Affects Version/s: None
Component/s: None
Labels:
- bkp

Assigned Teams:

Server Security
Backwards Compatibility:
Fully Compatible
Backport Requested:

v8.0, v7.0, v6.0, v5.0
Sprint:
Security 2024-10-14, Security 2024-10-28, Security 2024-11-11

When setting up CRLs, SSLManagerOpenSSL only sets the X509_V_FLAG_CRL_CHECK flag, which only "enables CRL checking for the certificate chain leaf certificate" (source).

Consequently, peer certificate chains containing intermediate issuers that were revoked may still succeed in establishing SSL connection. We should add the X509_V_FLAG_CRL_CHECK_ALL flag to enable CRL checking for the entire certificate chain.

is related to

SERVER-94764 Create unit test fixture for testing peer certificate validation

Closed

Assignee:: Erwin Pe

Reporter:: Erwin Pe

Participants:: Erwin Pe, Githook User

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: Oct 01 2024 11:03:09 PM UTC

Updated:: Dec 19 2024 05:01:25 PM UTC

Resolved:: Oct 29 2024 03:16:46 PM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates