<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<p class="details" style="font-style: italic; color: #777;">

<a href="https://gitlab.com/yuemonangong">yuemonangong</a> created an issue:

</p>

<div></div>

<p dir="auto">I created two CRLs [test1.crl, test2.crl] and a certificate chain revoked by test1.crl. When “<strong>next update</strong>” of two CRLs is <strong>earlier than current time</strong> (or “last update” is later than current time), <strong>GnuTLS 3.6.10</strong> takes them as normal CRLs during certificate(s) validation, <strong>lacking check on last update/next update of CRL</strong>.</p>

<p dir="auto">Comparatively, <strong>OpenSSL will check the validity</strong> of CRL no matter using it to revoke certificate(s) or not.</p>

<p dir="auto">The command I used is:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">certtool --verify --load_crl=test1.crl --load_ca_certificate=root.pem < leaf.pem</span></code></pre>

<p dir="auto">and</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">certtool --verify --load_crl=test2.crl --load_ca_certificate=root.pem < leaf.pem</span></code></pre>

<p dir="auto">Results of test1.crl:</p>

<p dir="auto">GnuTLS:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">Loaded CAs (2 available)</span>

<span id="LC2" class="line" lang="plaintext">       Subject: O=My Company Ltd,L=Newbury,ST=Berkshire,C=GB</span>

<span id="LC3" class="line" lang="plaintext">       Issuer: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN</span>

<span id="LC4" class="line" lang="plaintext">       Checked against: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN</span>

<span id="LC5" class="line" lang="plaintext">       Signature algorithm: RSA-SHA256</span>

<span id="LC6" class="line" lang="plaintext">       Output: Verified. The certificate is trusted. </span>

<span id="LC7" class="line" lang="plaintext"></span>

<span id="LC8" class="line" lang="plaintext">       Subject: O=My Company Ltd,L=Newbury,ST=Berkshire,C=GB</span>

<span id="LC9" class="line" lang="plaintext">       Issuer: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN</span>

<span id="LC10" class="line" lang="plaintext">      Signature algorithm: RSA-SHA256</span>

<span id="LC11" class="line" lang="plaintext">      Checked against CRL[00] of: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN</span>

<span id="LC12" class="line" lang="plaintext">      Output: Not verified. The certificate is NOT trusted. The certificate chain is revoked. </span>

<span id="LC13" class="line" lang="plaintext"></span>

<span id="LC14" class="line" lang="plaintext">Chain verification output: Not verified. The certificate is NOT trusted. The certificate chain is revoked.</span></code></pre>

<p dir="auto">OpenSSL:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">C = GB, ST = Berkshire, L = Newbury, O = My Company Ltd</span>

<span id="LC2" class="line" lang="plaintext">error 12 at 0 depth lookup: CRL has expired</span>

<span id="LC3" class="line" lang="plaintext">C = GB, ST = Berkshire, L = Newbury, O = My Company Ltd</span>

<span id="LC4" class="line" lang="plaintext">error 23 at 0 depth lookup: certificate revoked</span>

<span id="LC5" class="line" lang="plaintext">error leaf.pem: verification failed</span></code></pre>

<p dir="auto">Results of test2.crl:</p>

<p dir="auto">GnuTLS:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">Loaded CAs (2 available)</span>

<span id="LC2" class="line" lang="plaintext">       Subject: O=My Company Ltd,L=Newbury,ST=Berkshire,C=GB</span>

<span id="LC3" class="line" lang="plaintext">       Issuer: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN</span>

<span id="LC4" class="line" lang="plaintext">       Checked against: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN</span>

<span id="LC5" class="line" lang="plaintext">       Signature algorithm: RSA-SHA256</span>

<span id="LC6" class="line" lang="plaintext">       Output: Verified. The certificate is trusted. </span>

<span id="LC7" class="line" lang="plaintext"></span>

<span id="LC8" class="line" lang="plaintext">       Subject: O=My Company Ltd,L=Newbury,ST=Berkshire,C=GB</span>

<span id="LC9" class="line" lang="plaintext">       Issuer: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN</span>

<span id="LC10" class="line" lang="plaintext">      Signature algorithm: RSA-SHA256</span>

<span id="LC11" class="line" lang="plaintext">      Checked against CRL[00] of: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN</span>

<span id="LC12" class="line" lang="plaintext">      Output: Verified. The certificate is trusted. </span>

<span id="LC13" class="line" lang="plaintext"></span>

<span id="LC14" class="line" lang="plaintext">Chain verification output: Verified. The certificate is trusted.</span></code></pre>

<p dir="auto">OpenSSL:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">C = GB, ST = Berkshire, L = Newbury, O = My Company Ltd</span>

<span id="LC2" class="line" lang="plaintext">error 12 at 0 depth lookup: CRL has expired</span>

<span id="LC3" class="line" lang="plaintext">C = CN, ST = SH, O = SJTU, OU = DDST, CN = NCRL</span>

<span id="LC4" class="line" lang="plaintext">error 12 at 1 depth lookup: CRL has expired</span>

<span id="LC5" class="line" lang="plaintext">error leaf.pem: verification failed</span></code></pre>

<p dir="auto">root.pem:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">-----BEGIN CERTIFICATE-----</span>

<span id="LC2" class="line" lang="plaintext">MIIDNDCCAhygAwIBAgIJAPU0AU3ad04vMA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNV</span>

<span id="LC3" class="line" lang="plaintext">BAYTAkNOMQswCQYDVQQIDAJTSDENMAsGA1UECgwEU0pUVTENMAsGA1UECwwERERT</span>

<span id="LC4" class="line" lang="plaintext">VDENMAsGA1UEAwwETkNSTDAeFw0yMDAzMjYwODI3NDlaFw0yMzAxMTQwODI3NDla</span>

<span id="LC5" class="line" lang="plaintext">MEcxCzAJBgNVBAYTAkNOMQswCQYDVQQIDAJTSDENMAsGA1UECgwEU0pUVTENMAsG</span>

<span id="LC6" class="line" lang="plaintext">A1UECwwERERTVDENMAsGA1UEAwwETkNSTDCCASIwDQYJKoZIhvcNAQEBBQADggEP</span>

<span id="LC7" class="line" lang="plaintext">ADCCAQoCggEBAPNLlu+KPCcjj1KiZ1/sUFvFRDt3Z7WZTWjOYeJUFvycHNcYN9cE</span>

<span id="LC8" class="line" lang="plaintext">laGJ32hfjgaPw9u3cOgs0JJHwIhlQkNhSexUvgGatw336H/3FjPQCJKs48lDJG13</span>

<span id="LC9" class="line" lang="plaintext">sDF7TK1MvG5wcF1pgRkfvoRSWOyr30aqoeQHaRnqMnT0lWBy26mmV6mgM7LPeNq8</span>

<span id="LC10" class="line" lang="plaintext">E6jh6aLy7uep3+rO/Ef7LvFi/QWqy+vVVmr5MljXtFyWI+aLs4uFtZZ6rFw5Va4U</span>

<span id="LC11" class="line" lang="plaintext">Y6OffwchjkVex1eML4D593fobkmkubxZEm2o2Upi/Eiech7CM8HuwgqrAwoIVxi6</span>

<span id="LC12" class="line" lang="plaintext">FlObraD90sUSUKUwohvl03tkjCTXakXF2TUCAwEAAaMjMCEwEgYDVR0TAQH/BAgw</span>

<span id="LC13" class="line" lang="plaintext">BgEB/wIBAzALBgNVHQ8EBAMCAeYwDQYJKoZIhvcNAQELBQADggEBACb6hOtUCqD5</span>

<span id="LC14" class="line" lang="plaintext">sH4VucCO4FYFHM6nfBvB9vx+c2RPC/psam9clOvL5llrUhY070pXbZnd2hwxfnzj</span>

<span id="LC15" class="line" lang="plaintext">cdr448sVyJkHosukzZj/MyEBV9BERTUMOaY4etQxM2L33uyzn5++/NeRC2Yd53AL</span>

<span id="LC16" class="line" lang="plaintext">vY/s4znat7txqBK/izvLemLerp1Z5E58VFzLOvYNz+7vEoxMmNaU55TGh88VJIvo</span>

<span id="LC17" class="line" lang="plaintext">THaZ3LflTc7hv9eUWin0LTV0mg7cvM+/qWrM2N2hyOukztF5gCcMEgoVkpEgUCJP</span>

<span id="LC18" class="line" lang="plaintext">WsrvOumtDNuXnPr80r4N54n5TaQCTBG22Tj89klc6jUji63+UR9KKACCV44KT8hc</span>

<span id="LC19" class="line" lang="plaintext">+0ecJPmXqEU=</span>

<span id="LC20" class="line" lang="plaintext">-----END CERTIFICATE-----</span></code></pre>

<p dir="auto">leaf.pem:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">-----BEGIN CERTIFICATE-----</span>

<span id="LC2" class="line" lang="plaintext">MIIDITCCAgmgAwIBAgIBATANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJDTjEL</span>

<span id="LC3" class="line" lang="plaintext">MAkGA1UECAwCU0gxDTALBgNVBAoMBFNKVFUxDTALBgNVBAsMBEREU1QxDTALBgNV</span>

<span id="LC4" class="line" lang="plaintext">BAMMBE5DUkwwHhcNOTYwODAxMDAwMDAwWhcNMjAxMjMxMjM1OTU5WjBMMQswCQYD</span>

<span id="LC5" class="line" lang="plaintext">VQQGEwJHQjESMBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcw</span>

<span id="LC6" class="line" lang="plaintext">FQYDVQQKEw5NeSBDb21wYW55IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC</span>

<span id="LC7" class="line" lang="plaintext">AQoCggEBAL+N0yePi18I/+MxN/31iBehb2rO5s8MzykUz3aGp3BG/5uEFueqoYZN</span>

<span id="LC8" class="line" lang="plaintext">CNLA38wIUT/ry8wIw+jlTNj29L7Q9uOX8+10XgF4VTVtN14KT0s7tZ5dLjGRD7ft</span>

<span id="LC9" class="line" lang="plaintext">fZF03ifbGYp39fW2Wjutjo4Jyop+Bm7g6SrSJB3uaioITpZh8Xf7MHo+kNjJKPsu</span>

<span id="LC10" class="line" lang="plaintext">ZlVVNQ3T5WQWzoskcpRRIujv7U/NATuRzXODUzqnw+HGavu2qTX3falo5i0dzzrt</span>

<span id="LC11" class="line" lang="plaintext">9yCtLKqtC+0oX+kZPIi3ib/o20fY3hEXwYstq5sKpvV25xgKTbtwRN1KlMIhfSQN</span>

<span id="LC12" class="line" lang="plaintext">uFXIg/Rd6rbd9P60zPYxzOTwMsaEysECAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB</span>

<span id="LC13" class="line" lang="plaintext">/zANBgkqhkiG9w0BAQsFAAOCAQEAKhf5CQGxsJCzkFJv26ggzi2HxN/X/eXcwJyy</span>

<span id="LC14" class="line" lang="plaintext">3gfPP0JZNLzRb6bmracLui58LyCX+0tmY5TA1G3V94Vdu2LIUMRoANwKszTxhW/n</span>

<span id="LC15" class="line" lang="plaintext">8oNvXDji+E62EsivCtoPgYRAwFE0q4flvcWzDwGlqCfEdaG1uqYGLlLxW8gmHdFs</span>

<span id="LC16" class="line" lang="plaintext">pKJf4yCzQOn04RmReXOhaAtyUT+xp9AUzawzr2PPGA75x7B07HT4ezLPWy+l1X0o</span>

<span id="LC17" class="line" lang="plaintext">gMBOWm3AwrwTD8k1B488NiKivCYjBn6UPG0r9/gKxSvdEJEJ6SyM8+Jw+f7lij8i</span>

<span id="LC18" class="line" lang="plaintext">55LYqy8oyPPknQOAWzB+KZkCbqkcBGJLEPR35agBN/SDSdioXA==</span>

<span id="LC19" class="line" lang="plaintext">-----END CERTIFICATE-----</span></code></pre>

<p dir="auto">test1.crl:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">-----BEGIN X509 CRL-----</span>

<span id="LC2" class="line" lang="plaintext">MIIBtjCBnwIBATANBgkqhkiG9w0BAQ4FADBHMQswCQYDVQQGEwJDTjELMAkGA1UE</span>

<span id="LC3" class="line" lang="plaintext">CAwCU0gxDTALBgNVBAoMBFNKVFUxDTALBgNVBAsMBEREU1QxDTALBgNVBAMMBE5D</span>

<span id="LC4" class="line" lang="plaintext">UkwXDTIwMDIxMDAzMjczMloXDTIwMDMzMTAzMjczMlowFDASAgEBFw0yMTAzMTYw</span>

<span id="LC5" class="line" lang="plaintext">MzI3MzJaoA4wDDAKBgNVHRQEAwIBADANBgkqhkiG9w0BAQ4FAAOCAQEA2Pdr+xMb</span>

<span id="LC6" class="line" lang="plaintext">XqLhN50342Kvv7QZyr8ocgVDjmeg15PjbbdubTqFwxgvBy62VscE46NuYBFHBL9D</span>

<span id="LC7" class="line" lang="plaintext">aDXGngVgxyQeBDFDTozcb2AcqbMtT1UtFQ/KnkYL9FZg+Vv4xJywAz0GjXvjcUiw</span>

<span id="LC8" class="line" lang="plaintext">wMzL4nzwarnLyLElNdyXA9+aMWdCYySaumUDS0fWFEpAKgjByNJ2neDPW/SF8G87</span>

<span id="LC9" class="line" lang="plaintext">E5tbdC28lMNJepewQC5lJONeleNOz65U5zjd60KY+vjEPtf85RAf8W3dzSSWzY6W</span>

<span id="LC10" class="line" lang="plaintext">qe2IOt4hGrE6aOVc+yE4ykrPoagZeA4c4oOZTq7b3T+MidrDV3ckdIYYC4vWvcVj</span>

<span id="LC11" class="line" lang="plaintext">/CoixkTJXBRnYw==</span>

<span id="LC12" class="line" lang="plaintext">-----END X509 CRL-----</span></code></pre>

<p dir="auto">test2.crl:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">-----BEGIN X509 CRL-----</span>

<span id="LC2" class="line" lang="plaintext">MIIBoDCBiQIBATANBgkqhkiG9w0BAQ4FADBHMQswCQYDVQQGEwJDTjELMAkGA1UE</span>

<span id="LC3" class="line" lang="plaintext">CAwCU0gxDTALBgNVBAoMBFNKVFUxDTALBgNVBAsMBEREU1QxDTALBgNVBAMMBE5D</span>

<span id="LC4" class="line" lang="plaintext">UkwXDTIwMDIxMDAzMzEyNloXDTIwMDMzMTAzMzEyNlqgDjAMMAoGA1UdFAQDAgEA</span>

<span id="LC5" class="line" lang="plaintext">MA0GCSqGSIb3DQEBDgUAA4IBAQCYxlVo38+wlB1zt+VIWusPZGJhe5Kda5B7lgB7</span>

<span id="LC6" class="line" lang="plaintext">qxoAio79rY/in0ydTKbvPa4CJk4HfwcFxbDlZE/9uDlt9teVsYSvrswQnCriab02</span>

<span id="LC7" class="line" lang="plaintext">DvQMA8pi7qtOB0I6l+3jajojZ4TqulDhJiZAqnjjEUmkXgbN+oIdj4+TVt4mGGBA</span>

<span id="LC8" class="line" lang="plaintext">HGjQdDpnDLpYEqNqhLvP7H8D0ErsSIw+M74iTP/1hMWdhfPjdYDwrtJ2EyIo5OpW</span>

<span id="LC9" class="line" lang="plaintext">HQ23xQRgTh/65qqdc7165vI6PTUCAeB2rIFiDX5SSF+teCjQM47sONLFoglFz1me</span>

<span id="LC10" class="line" lang="plaintext">gqHldvb5wHvdhrSbTNCgCCkksgnJmnm9w7vYwnaNvD1BK+n7</span>

<span id="LC11" class="line" lang="plaintext">-----END X509 CRL-----</span></code></pre>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/1003">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/-/sent_notifications/12c406aca4d9fc78e525d4796e817479/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/1003"}}</script>

</p>

</div>

</body>

</html>