You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have found a commit in a different project that mentions a curl bug - and I think this bug is currently not known to the curl team: puppetlabs/leatherman@e7338b3
Curl 7.68 has a bug where it defaults to passing X509_V_FLAG_PARTIAL_CHAIN to openssl. This breaks CRL chains, since the crl logic passes X509_V_FLAG_CRL_CHECK_ALL, which requires a full chain.
We disable partial chains explicitly here to work around this.
So probably CURLOPT_CRLFILE does not work anymore with the default settings, it works only if CURLOPT_SSL_OPTIONS is used with CURLSSLOPT_NO_PARTIALCHAIN.
We should verify this, search a workaround, or document it in the KNOWN_BUGS file.
The text was updated successfully, but these errors were encountered:
Ack. Seems like an OpenSSL bug they've had open for over a year and projects are doing this work-around for. I does have the nasty side-effect that just because you use the CRL option you also can't do partial chains when verifying a cert...
I have found a commit in a different project that mentions a curl bug - and I think this bug is currently not known to the curl team: puppetlabs/leatherman@e7338b3
I also found the corresponding OpenSSL bug: openssl/openssl#5081
So probably
CURLOPT_CRLFILE
does not work anymore with the default settings, it works only ifCURLOPT_SSL_OPTIONS
is used withCURLSSLOPT_NO_PARTIALCHAIN
.We should verify this, search a workaround, or document it in the KNOWN_BUGS file.
The text was updated successfully, but these errors were encountered: