-
Type: Task
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: None
-
Server Security
-
Fully Compatible
-
v8.0, v7.0, v6.0, v5.0
-
Security 2024-10-14, Security 2024-10-28, Security 2024-11-11
When setting up CRLs, SSLManagerOpenSSL only sets the X509_V_FLAG_CRL_CHECK flag, which only "enables CRL checking for the certificate chain leaf certificate" (source).
Consequently, peer certificate chains containing intermediate issuers that were revoked may still succeed in establishing SSL connection. We should add the X509_V_FLAG_CRL_CHECK_ALL flag to enable CRL checking for the entire certificate chain.