Fix regression when X509_V_FLAG_CRL_CHECK_ALL is set#28797
Closed
carter-thaxton wants to merge 1 commit intoopenssl:openssl-3.6from
Closed
Fix regression when X509_V_FLAG_CRL_CHECK_ALL is set#28797carter-thaxton wants to merge 1 commit intoopenssl:openssl-3.6from
carter-thaxton wants to merge 1 commit intoopenssl:openssl-3.6from
Conversation
openssl-machine
added
the
hold: cla required
Contributor
Author
|
CLA: trivial |
shahsb
reviewed
Oct 9, 2025
Contributor
shahsb
left a comment
shahsb
left a comment
There was a problem hiding this comment.
LGTM. Okay with CLA: Trivial
shahsb
reviewed
Oct 9, 2025
Contributor
shahsb
left a comment
shahsb
left a comment
There was a problem hiding this comment.
The author has to add CLA: trivial in the commit message separated by an empty line from the rest of the message. and also, obviously you'll have to sign the CLA if not done yet. Thanks!
…AG_CRL_CHECK is clear This fixes openssl#28758 When X509_V_FLAG_CRL_CHECK is not set, the man pages document that X509_V_FLAG_CRL_CHECK_ALL is ignored. Prior to 3.6.0, this was indeed the case. In 3.6.0, the behavior changed, and setting X509_V_FLAG_CRL_CHECK_ALL began to imply X509_V_FLAG_CRL_CHECK. This unfortunately breaks the majority of ruby installations, which relied on the documented behavior. For consistency, this commit applies the same logic to the new X509_V_FLAG_OCSP_RESP_CHECK and X509_V_FLAG_OCSP_RESP_CHECK_ALL flags, which are still undocumented as of 3.6.0. All existing tests continue to pass. They also make the assumption that the xxx_CHECK_ALL flags are irrelevant unless xxx_CHECK is set. We could add a new test for this regression. I'll leave that to another commit. CLA: trivial
carter-thaxton
force-pushed
the
fix_crl_check_all
branch
from
f775206 to
243f9d3
Compare
openssl-machine
removed
the
hold: cla required
Contributor
Author
|
BTW, this pull request was made directly to the |
|
Any time line about this one here? :-) |
github-actions
bot
added
the
severity: fips change
jogme
added
branch: master
t8m
added
approval: review pending
Member
|
ping @openssl/committers for second review |
github-actions
bot
removed
the
severity: fips change
npajkovsky
approved these changes
Dec 3, 2025
jogme
added
approval: done
12 tasks
openssl-machine
added
approval: ready to merge
Collaborator
|
This pull request is ready to merge |
openssl-machine
pushed a commit
that referenced
this pull request
Dec 11, 2025
…AG_CRL_CHECK is clear Fixes #28758 When X509_V_FLAG_CRL_CHECK is not set, the man pages document that X509_V_FLAG_CRL_CHECK_ALL is ignored. Prior to 3.6.0, this was indeed the case. In 3.6.0, the behavior changed, and setting X509_V_FLAG_CRL_CHECK_ALL began to imply X509_V_FLAG_CRL_CHECK. This unfortunately breaks the majority of ruby installations, which relied on the documented behavior. For consistency, this commit applies the same logic to the new X509_V_FLAG_OCSP_RESP_CHECK and X509_V_FLAG_OCSP_RESP_CHECK_ALL flags, which are still undocumented as of 3.6.0. All existing tests continue to pass. They also make the assumption that the xxx_CHECK_ALL flags are irrelevant unless xxx_CHECK is set. We could add a new test for this regression. I'll leave that to another commit. CLA: trivial Reviewed-by: Nikola Pajkovsky <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #28797)
openssl-machine
pushed a commit
that referenced
this pull request
Dec 11, 2025
…AG_CRL_CHECK is clear Fixes #28758 When X509_V_FLAG_CRL_CHECK is not set, the man pages document that X509_V_FLAG_CRL_CHECK_ALL is ignored. Prior to 3.6.0, this was indeed the case. In 3.6.0, the behavior changed, and setting X509_V_FLAG_CRL_CHECK_ALL began to imply X509_V_FLAG_CRL_CHECK. This unfortunately breaks the majority of ruby installations, which relied on the documented behavior. For consistency, this commit applies the same logic to the new X509_V_FLAG_OCSP_RESP_CHECK and X509_V_FLAG_OCSP_RESP_CHECK_ALL flags, which are still undocumented as of 3.6.0. All existing tests continue to pass. They also make the assumption that the xxx_CHECK_ALL flags are irrelevant unless xxx_CHECK is set. We could add a new test for this regression. I'll leave that to another commit. CLA: trivial Reviewed-by: Nikola Pajkovsky <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #28797) (cherry picked from commit cbaf28c)
Member
|
Merged (after reformatting with clang-format) to the master and 3.6 branches. Thank you for your contribution. |
cxx194832
pushed a commit
to cxx194832/openssl
that referenced
this pull request
Dec 12, 2025
…AG_CRL_CHECK is clear Fixes openssl#28758 When X509_V_FLAG_CRL_CHECK is not set, the man pages document that X509_V_FLAG_CRL_CHECK_ALL is ignored. Prior to 3.6.0, this was indeed the case. In 3.6.0, the behavior changed, and setting X509_V_FLAG_CRL_CHECK_ALL began to imply X509_V_FLAG_CRL_CHECK. This unfortunately breaks the majority of ruby installations, which relied on the documented behavior. For consistency, this commit applies the same logic to the new X509_V_FLAG_OCSP_RESP_CHECK and X509_V_FLAG_OCSP_RESP_CHECK_ALL flags, which are still undocumented as of 3.6.0. All existing tests continue to pass. They also make the assumption that the xxx_CHECK_ALL flags are irrelevant unless xxx_CHECK is set. We could add a new test for this regression. I'll leave that to another commit. CLA: trivial Reviewed-by: Nikola Pajkovsky <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#28797) (cherry picked from commit cbaf28c)
openssl-machine
pushed a commit
that referenced
this pull request
Jan 27, 2026
3.6.1 CHANGES.md includes the following: * #28760 "Improve the CPUINFO display for RISC-V" * #28797 "Fix regression when X509_V_FLAG_CRL_CHECK_ALL is set" * #28955 "Fix for TLS handshake issue with GnuTLS #28902" * #29155 "fix(x509.c): fixed -checkend return values" * #29214 "s390x: Check and fail on invalid malformed ECDSA signatures" * #29245 "Clang format 3.6" * #29251 "Fix change of behavior of the single stapled OCSP response API" 3.6.1 NEWS.md includes the following: * #28797 "Fix regression when X509_V_FLAG_CRL_CHECK_ALL is set" * #28955 "Fix for TLS handshake issue with GnuTLS #28902" Co-Authored-by: Tomáš Mráz <[email protected]> Signed-off-by: Eugene Syromiatnikov <[email protected]> Reviewed-by: Nikola Pajkovsky <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Saša Nedvědický <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> MergeDate: Mon Jan 26 20:01:30 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #28758
When X509_V_FLAG_CRL_CHECK is not set, the man pages document that X509_V_FLAG_CRL_CHECK_ALL is ignored. Prior to 3.6.0, this was indeed the case.
In 3.6.0, the behavior changed, and setting X509_V_FLAG_CRL_CHECK_ALL began to imply X509_V_FLAG_CRL_CHECK. This unfortunately breaks the majority of ruby installations, which relied on the documented behavior.
For consistency, this commit applies the same logic to the new X509_V_FLAG_OCSP_RESP_CHECK and X509_V_FLAG_OCSP_RESP_CHECK_ALL flags, which are still undocumented as of 3.6.0.
All existing tests continue to pass. They also make the assumption that the xxx_CHECK_ALL flags are irrelevant unless xxx_CHECK is set. We could add a new test for this regression. I'll leave that to another commit.
CLA: trivial