id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
782	nginx doesn't check delta CRLs	Niko		"Hi,

we are using nginx for certificate authentication. We have multiple trusted certificate authorities (CA) and related certificate revokation lists (CRL) in one pem file which is updated on a daily basis:

ssl_client_certificate /etc/nginx/clientcerts/trustedCAs.pem;
ssl_crl /etc/nginx/clientcerts/revoked_certs.pem;

This works fine so far when a certificate authority has only one corresponding CRL. However when a CA uses so called ""Delta CRLs"", a revoked client certificate which is only present in the delta CRL seems to not be read by nginx. The revoked certificate is accepted by nginx. If the revoked certificate is directly inserted into the ""main"" CRL, nginx declines the authentication.

Does nginx support ""Delta CRLS""? I believe this is a security issue, because there may be some certificate authorities which make use of """"Delta CRLs"". If nginx ignores them, a client certificate is accepted although it is revoked.

"	enhancement	reopened	minor		nginx-core	1.9.x					"nginx version: nginx/1.9.4
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled"