Dear OpenSSL users, currently using openssl version 1.0.1d on Win32 and Linux and we're about to use indirect crls. The main intent is to keep the RCAs secrets in a vault. Since we found no commandline support for this, we wrote a class to generate the needed crls. Verifying a end-entity cert we found some unexpected behavior. The put a request to the opessl-dev list yesterday (subject "[openssl-dev] Possible deficiency verifying with indirect crl") which is currently without response. Next surprise arose when it came to path validation of the crl issuers cert. Firstly the chain could not be built since the method to access the trusted certs list was not in place. So we copied the method and the pointer to the stack of trusted certs into the temporary context within the function check_crl_path. Did i miss something or is anyone interested in discussing these measures or even successfully using verification with indirect crls? BTW: The current version, 1.0.1g, seems to make no difference in behavior since the relevant portions of the code seem to be untouched. Thanks in advance -- Christian Weber
