nginx doesn't check delta CRLs
|Reported by:||Niko||Owned by:|
nginx version: nginx/1.9.4
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
we are using nginx for certificate authentication. We have multiple trusted certificate authorities (CA) and related certificate revokation lists (CRL) in one pem file which is updated on a daily basis:
This works fine so far when a certificate authority has only one corresponding CRL. However when a CA uses so called "Delta CRLs", a revoked client certificate which is only present in the delta CRL seems to not be read by nginx. The revoked certificate is accepted by nginx. If the revoked certificate is directly inserted into the "main" CRL, nginx declines the authentication.
Does nginx support "Delta CRLS"? I believe this is a security issue, because there may be some certificate authorities which make use of ""Delta CRLs". If nginx ignores them, a client certificate is accepted although it is revoked.