github/open62541
7
0
Fork 0
mirror of https://github.com/open62541/open62541.git synced 2025-06-03 04:00:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(plugin): Proper error handling when checking all CRLs

Browse Source 
If a chain of Certificate Authorities (CAs) longer than one is present,
all CRL checks on the additional CAs were bypassed. This resulted in the
potential acceptance of certificates that have been revoked or have
expired CRLs.
This commit is contained in:
Romain Gauci 2024-09-10 17:31:24 +02:00 committed by Julius Pfrommer
parent 317819b7d3
commit 9b6848a7e8
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
plugins/crypto/openssl/ua_pki_openssl.c
View File

@ -532,6 +532,8 @@ UA_CertificateVerification_Verify (void * verificationContext,
opensslRet = X509_STORE_CTX_get_error (storeCtx);
if (opensslRet == X509_V_ERR_UNABLE_TO_GET_CRL) {
ret = UA_STATUSCODE_BADCERTIFICATEISSUERREVOCATIONUNKNOWN;
} else {
ret = UA_X509_Store_CTX_Error_To_UAError (opensslRet);
}
}
}