I started experimenting with delta CRLs and noticed that 'openssl
verify' in OpenSSL distribution test suite uses -extended_crl flag with
-use_deltas. The documentation is not clear if 'extended CRL features'
also covers delta CRLs and if it is required for deltas to work.
The corresponding verify flags are also mentioned on the
X509_VERIFY_PARAM_set_flags manual page, with some caveats regarding
delta CRLs, but otherwise there seem to be few examples in the net about
what options to use.
Can anyone confirm if -extended_crl is required for delta CRLs? If it
is, I can submit a documentation update to make clarify this.
Here are the docs I've used:
https://www.openssl.org/docs/manmaster/man1/verify.html
https://www.openssl.org/docs/manmaster/man3/X509_VERIFY_PARAM_set_flags.html
Thanks,
Heikki
--
Heikki Vatiainen