[Rt-commit] rt branch, 4.4-trunk, updated. rt-4.4.4-176-gfed9384907
? sunnavy
sunnavy at bestpractical.com
Mon Nov 23 17:41:25 EST 2020
The branch, 4.4-trunk has been updated
via fed93849071b9460953c36d7f2a6d74f2588c953 (commit)
via 2043c8a45e645b475da77b5d6f4ddc763abb356c (commit)
via fcbca1973bff5edcbaa965ec8fb75f16ff4a0d39 (commit)
from 6a8ea9f51aee3002eb9a6361f1fe22d8c4130376 (commit)
Summary of changes:
etc/RT_Config.pm.in | 13 ++
lib/RT/Config.pm | 7 +
lib/RT/Crypt/SMIME.pm | 239 +++++++++++++++++++++++---
t/crypt/smime/crl-check.t | 46 +++++
t/crypt/smime/revoked.t | 74 ++++++++
t/data/smime/keys/CAWithCRL/cacert.pem | 22 +++
t/data/smime/keys/CAWithCRL/mycrl.cnf | 1 +
t/data/smime/keys/CAWithCRL/private/cakey.pem | 30 ++++
t/data/smime/keys/revoked-ca.pem | 49 ++++++
t/data/smime/keys/revoked at example.com.pem | 39 +++++
t/data/smime/keys/sender-crl at example.com.key | 30 ++++
t/data/smime/keys/sender-crl at example.com.pem | 23 +++
12 files changed, 551 insertions(+), 22 deletions(-)
create mode 100644 t/crypt/smime/crl-check.t
create mode 100644 t/crypt/smime/revoked.t
create mode 100644 t/data/smime/keys/CAWithCRL/cacert.pem
create mode 100644 t/data/smime/keys/CAWithCRL/mycrl.cnf
create mode 100644 t/data/smime/keys/CAWithCRL/private/cakey.pem
create mode 100644 t/data/smime/keys/revoked-ca.pem
create mode 100644 t/data/smime/keys/revoked at example.com.pem
create mode 100644 t/data/smime/keys/sender-crl at example.com.key
create mode 100644 t/data/smime/keys/sender-crl at example.com.pem
- Log -----------------------------------------------------------------
commit fcbca1973bff5edcbaa965ec8fb75f16ff4a0d39
Author: Dianne Skoll <dianne at bestpractical.com>
Date: Fri Nov 6 16:31:03 2020 -0500
Support SMIME certificate revocation using OCSP/CRL
Note that for certificates that are signed by untrusted CAs, we won't
check OCSP/CRL because of security reasons(it's risky to download things
from untrusted URLs).
diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in
index f8f7866c02..78d9ac532a 100644
--- a/etc/RT_Config.pm.in
+++ b/etc/RT_Config.pm.in
@@ -3060,6 +3060,16 @@ function, or a hash (to look up by address). If the hash is used, the
Set C<OtherCertificatesToSend> to path to a PEM-formatted certificate file.
Certificates in the file will be include in outgoing signed emails.
+Set C<CheckCRL> to a true value to have RT check for revoked certificates
+by downloading a CRL. By default, C<CheckCRL> is disabled.
+
+Set C<CheckOCSP> to a true value to have RT check for revoked certificates
+against an OCSP server if possible. By default, C<CheckOCSP> is disabled.
+
+Set C<CheckRevocationDownloadTimeout> to the timeout in seconds for
+downloading a CRL or an issuer certificate (the latter is used when
+checking against OCSP). The default timeout is 30 seconds.
+
See L<RT::Crypt::SMIME> for details.
=back
@@ -3074,6 +3084,9 @@ Set( %SMIME,
AcceptUntrustedCAs => undef,
Passphrase => undef,
OtherCertificatesToSend => undef,
+ CheckCRL => 0,
+ CheckOCSP => 0,
+ CheckRevocationDownloadTimeout => 30,
);
=head2 GnuPG configuration
diff --git a/lib/RT/Config.pm b/lib/RT/Config.pm
index 431a12ca22..a22ec1a366 100644
--- a/lib/RT/Config.pm
+++ b/lib/RT/Config.pm
@@ -839,6 +839,13 @@ our %META;
delete $opt->{CAPath};
}
}
+
+ if ($opt->{CheckCRL} && ! RT::Crypt::SMIME->SupportsCRLfile) {
+ $opt->{CheckCRL} = 0;
+ $RT::Logger->warn(
+ "Your version of OpenSSL does not support the -CRLfile option; disabling \$SMIME{CheckCRL}"
+ );
+ }
},
},
GnuPG => {
diff --git a/lib/RT/Crypt/SMIME.pm b/lib/RT/Crypt/SMIME.pm
index d78eb14146..b9c9c191a1 100644
--- a/lib/RT/Crypt/SMIME.pm
+++ b/lib/RT/Crypt/SMIME.pm
@@ -61,6 +61,11 @@ use IPC::Run3 0.036 'run3';
use RT::Util 'safe_run_child';
use Crypt::X509;
use String::ShellQuote 'shell_quote';
+use LWP;
+
+# This will be set to a true value by Probe
+# if "openssl verify" supports the -CRLfile option
+our $OpenSSL_Supports_CRLfile;
=head1 NAME
@@ -82,6 +87,9 @@ You should start from reading L<RT::Crypt>.
'' => 'fallback',
},
OtherCertificatesToSend => '/opt/rt4/var/data/smime/other-certs.pem',
+ CheckCRL => 0,
+ CheckOCSP => 0,
+ CheckRevocationDownloadTimeout => 30,
);
=head3 OpenSSL
@@ -128,6 +136,25 @@ Certificates in the file will be include in outgoing signed emails.
Depending on use cases, you might need to include a chain of certificates so
receiving agents can verify. CA could also be included here.
+=head3 CheckCRL
+
+A boolean option that determines whether or not we attempt to check if
+a certificate is revoked by downloading a CRL. The default value is
+false (do not check). Additionally, if AcceptUntrustedCAs is true, RT
+will I<never> download a CRL or check an OCSP URL for a certificate
+signed by an untrusted CA.
+
+=head3 CheckOCSP
+
+A boolean option that determines whether or not we check if a certificate
+is revoked by checking the OCSP URL (if any). The default value is
+false.
+
+=head3 CheckRevocationDownloadTimeout
+
+Timeout in seconds for downloading a CRL or issuer certificate for
+OCSP checking. The default is 30 seconds.
+
=head2 Keyring configuration
RT looks for keys in the directory configured in the L</Keyring> option
@@ -212,6 +239,14 @@ sub Probe {
" SMIME support has been disabled");
return;
} else {
+ ($buf, $err) = ('', '');
+ # Interrogate openssl verify command to see if it supports
+ # the -CRLfile option.
+ safe_run_child { run3( [$bin, 'verify', '-help'],
+ \undef, \$buf, \$err) };
+ if ($err =~ /-CRLfile/) {
+ $OpenSSL_Supports_CRLfile = 1;
+ }
return 1;
}
}
@@ -975,6 +1010,61 @@ sub GetCertificateInfo {
stderr => ''
);
+ # First, check if the certificate verifies without checking
+ # revocation status
+ $self->RunOpenSSLVerify($PEM, \%res);
+
+ if ($res{info}[0]{TrustLevel} != 2) {
+ # Not signed by trusted CA; return
+ return %res;
+ }
+
+ # If we're not configured to check CRLs or OCSP, just return
+ # what we have.
+ return %res unless (RT::Config->Get('SMIME')->{'CheckCRL'} ||
+ RT::Config->Get('SMIME')->{'CheckOCSP'} );
+
+ # Check if certificate has been revoked using OCSP if the cert has
+ # an OCSP URL. Unfortunately, Crypt::X509 doesn't let us query
+ # for OCSP URLs, so we need to run OpenSSL.
+ if (RT::Config->Get('SMIME')->{'CheckOCSP'}) {
+ my $ocsp_result = $self->CheckRevocationUsingOCSP($PEM, \%res);
+ if ($ocsp_result) {
+ # We got a definitive result from OCSP; return
+ return %res;
+ }
+ }
+
+ # OCSP didn't give us a result, or was disabled Try downloading CRL.
+ if (RT::Config->Get('SMIME')->{'CheckCRL'}) {
+ if ($OpenSSL_Supports_CRLfile) {
+ # We fetch the CRL file ourselves using LWP rather than
+ # using OpenSSL's -crl_download option so we can
+ # control the timeout.
+ my ($url) = @{$cert->CRLDistributionPoints};
+ if ($url) {
+ my $crl_file = $self->DownloadAndConvertCRLToPEM($url);
+ if ($crl_file) {
+ $self->RunOpenSSLVerify($PEM, \%res, '-crl_check', '-CRLfile', $crl_file);
+ } else {
+ $res{info}[0]{Trust} .= " (NOTE: Unable to download CRL)";
+ }
+ }
+ }
+ }
+
+ return %res;
+}
+
+sub RunOpenSSLVerify
+{
+ my $self = shift;
+ my $PEM = shift;
+ my $res = shift;
+ # Remaining args are extra arguments to "openssl verify"
+
+ $res->{stderr} = '';
+
# Check the validity
my $ca = RT->Config->Get('SMIME')->{'CAPath'};
if ($ca) {
@@ -986,39 +1076,43 @@ sub GetCertificateInfo {
}
local $SIG{CHLD} = 'DEFAULT';
+
my $cmd = [
$self->OpenSSLPath,
- 'verify', @ca_verify,
- ];
+ 'verify', @ca_verify, @_,
+ ];
my $buf = '';
- safe_run_child { run3( $cmd, \$PEM, \$buf, \$res{stderr} ) };
+ safe_run_child { run3( $cmd, \$PEM, \$buf, \$res->{stderr} ) };
if ($buf =~ /^stdin: OK$/) {
- $res{info}[0]{Trust} = "Signed by trusted CA $res{info}[0]{Issuer}[0]{String}";
- $res{info}[0]{TrustTerse} = "full";
- $res{info}[0]{TrustLevel} = 2;
+ $res->{info}[0]{Trust} = "Signed by trusted CA $res->{info}[0]{Issuer}[0]{String}";
+ $res->{info}[0]{TrustTerse} = "full";
+ $res->{info}[0]{TrustLevel} = 2;
+ $res->{exit_code} = 0;
} elsif ($? == 0 or ($? >> 8) == 2) {
- $res{info}[0]{Trust} = "UNTRUSTED signing CA $res{info}[0]{Issuer}[0]{String}";
- $res{info}[0]{TrustTerse} = "none";
- $res{info}[0]{TrustLevel} = -1;
+ if ($res->{stderr} =~ /certificate revoked/i) {
+ $res->{info}[0]{Trust} = "REVOKED certificate from CA $res->{info}[0]{Issuer}[0]{String}";
+ $res->{info}[0]{TrustTerse} = "none (revoked certificate)";
+ } else {
+ $res->{info}[0]{Trust} = "UNTRUSTED signing CA $res->{info}[0]{Issuer}[0]{String}";
+ $res->{info}[0]{TrustTerse} = "none";
+ }
+ $res->{info}[0]{TrustLevel} = -1;
+ $res->{exit_code} = $?;
} else {
- $res{exit_code} = $?;
- $res{message} = "openssl exited with error code ". ($? >> 8)
+ $res->{exit_code} = $?;
+ $res->{message} = "openssl exited with error code ". ($? >> 8)
." and stout: $buf";
- $res{info}[0]{Trust} = "unknown (openssl failed)";
- $res{info}[0]{TrustTerse} = "unknown";
- $res{info}[0]{TrustLevel} = 0;
+ $res->{info}[0]{Trust} = "unknown (openssl failed)";
+ $res->{info}[0]{TrustTerse} = "unknown";
+ $res->{info}[0]{TrustLevel} = 0;
}
} else {
- $res{info}[0]{Trust} = "unknown (no CAPath set)";
- $res{info}[0]{TrustTerse} = "unknown";
- $res{info}[0]{TrustLevel} = 0;
+ $res->{info}[0]{Trust} = "unknown (no CAPath set)";
+ $res->{info}[0]{TrustTerse} = "unknown";
+ $res->{info}[0]{TrustLevel} = 0;
}
-
- $res{info}[0]{Formatted} = $res{info}[0]{User}[0]{String}
- . " (issued by $res{info}[0]{Issuer}[0]{String})";
-
- return %res;
+ $res->{info}[0]{Formatted} = $res->{info}[0]{User}[0]{String} . " (issued by $res->{info}[0]{Issuer}[0]{String})";
}
# Extract the subject email address from an S/MIME certificate.
@@ -1057,4 +1151,105 @@ sub ExtractSubjectEmailAddress {
return undef;
}
+sub DownloadAndConvertCRLToPEM {
+ my ($self, $url) = @_;
+ my $tmpdir = File::Temp::tempdir( TMPDIR => 1, CLEANUP => 1 );
+ my $ua = LWP::UserAgent->new(env_proxy => 1);
+ $ua->timeout(RT::Config->Get('SMIME')->{CheckRevocationDownloadTimeout});
+
+ my $resp = $ua->get($url);
+ return undef unless $resp->is_success;
+
+ my $fname = File::Spec->catfile($tmpdir, 'crl.pem');
+ my $in = $resp->decoded_content;
+ if ($in !~ /-----BEGIN X509 CRL-----/) {
+ $in = "-----BEGIN X509 CRL-----\n" .
+ MIME::Base64::encode_base64($in) .
+ "-----END X509 CRL-----\n";
+ }
+ if ( open my $fh, '>', $fname ) {
+ print $fh $in;
+ close($fh);
+ return $fname;
+ }
+ return undef;
+}
+
+# Returns: 1 if cert has been revoked, 0 if it has definitely NOT been revoked,
+# undef if OCSP check failed
+sub CheckRevocationUsingOCSP {
+ my ($self, $PEM, $res) = @_;
+
+ # Can't do anything without a CAPath
+ my $ca = RT->Config->Get('SMIME')->{'CAPath'};
+ return undef unless $ca;
+
+ my ($out, $err);
+ $out = '';
+ $err = '';
+ # We need to download the issuer certificate, so look for its URL and
+ # that of the OCSP
+ safe_run_child { run3( [$self->OpenSSLPath, 'x509', '-noout', '-text'],
+ \$PEM, \$out, \$err ) };
+ return undef unless $out =~ /CA Issuers - URI:(https?:.*)/;
+ my $issuer_url = $1;
+
+ return undef unless $out =~ /OCSP - URI:(https?:.*)/;
+ my $ocsp_url = $1;
+
+ # We have the issuer certificate URL; make a temp dir and grab it
+ my $tmpdir = File::Temp::tempdir( TMPDIR => 1, CLEANUP => 1 );
+ my $issuer = File::Spec->catfile($tmpdir, 'issuer.crt');
+ my $ua = LWP::UserAgent->new(env_proxy => 1);
+ $ua->timeout(RT::Config->Get('SMIME')->{CheckRevocationDownloadTimeout});
+
+ my $resp = $ua->get($issuer_url);
+ return undef unless $resp->is_success;
+
+ open(my $fh, '>', $issuer) or return undef;
+ my $content = $resp->decoded_content;
+ if ($content !~ /BEGIN CERTIFICATE/) {
+ # Convert from DER to PEM
+ $content = "-----BEGIN CERTIFICATE-----\n" .
+ MIME::Base64::encode_base64($content) .
+ "-----END CERTIFICATE-----\n";
+ }
+ print $fh $content;
+ close($fh);
+
+ # Check for revocation
+ my @ca_verify;
+ if (-d $ca) {
+ @ca_verify = ('-CApath', $ca);
+ } elsif (-f $ca) {
+ @ca_verify = ('-CAfile', $ca);
+ }
+ $out = '';
+ $err = '';
+
+ safe_run_child { run3( [$self->OpenSSLPath(), 'ocsp', '-issuer', $issuer, '-cert', '-', @ca_verify, '-url', $ocsp_url],
+ \$PEM, \$out, \$err) };
+ return undef unless $? == 0;
+
+ if ($out =~ /^-: revoked/) {
+ $res->{info}[0]{Trust} = "REVOKED certificate checked against OCSP URI $ocsp_url";
+ $res->{info}[0]{TrustTerse} = "none (revoked certificate)";
+ $res->{info}[0]{TrustLevel} = -1;
+ $res->{exit_code} = 0;
+ return 1;
+ }
+ if ($out =~ /^-: good/) {
+ # Definitely NOT revoked. Return 0, but not undef
+ return 0;
+ }
+
+ return undef;
+}
+
+# Accessor function to query if OpenSSL supports -CRLfile
+# without having to know a package variable name.
+sub SupportsCRLfile {
+ return $OpenSSL_Supports_CRLfile;
+};
+
1;
commit 2043c8a45e645b475da77b5d6f4ddc763abb356c
Author: Dianne Skoll <dianne at bestpractical.com>
Date: Fri Nov 20 08:55:52 2020 -0500
Test SMIME certificate revocation using OCSP/CRL
diff --git a/t/crypt/smime/crl-check.t b/t/crypt/smime/crl-check.t
new file mode 100644
index 0000000000..27f54e3032
--- /dev/null
+++ b/t/crypt/smime/crl-check.t
@@ -0,0 +1,46 @@
+use strict;
+use warnings;
+
+use RT::Test::SMIME tests => undef;
+
+my $openssl = RT::Test->find_executable('openssl');
+my $keyring = File::Spec->catfile(RT::Test->temp_directory, "smime" );
+my $ca = RT::Test::find_relocatable_path(qw(data smime keys CAWithCRL));
+$ca = File::Spec->catfile($ca, 'cacert.pem');
+
+RT->Config->Set('SMIME', Enable => 1,
+ Passphrase => {'sender-crl\@example.com' => '123456'},
+ OpenSSL => $openssl,
+ Keyring => $keyring,
+ CAPath => $ca,
+ CheckCRL => 1,
+ CheckOSCP => 1,
+);
+
+RT::Test::SMIME->import_key('sender-crl at example.com');
+
+if (!RT::Crypt::SMIME->SupportsCRLfile) {
+ RT::Test::plan( skip_all => 'This version of openssl does not support the -CRLfile option');
+}
+
+if (!$ENV{RT_TEST_SMIME_REVOCATION}) {
+ RT::Test::plan( skip_all => 'Skipping tests that would download a CRL because RT_TEST_SMIME_REVOCATION environment variable not set to 1');
+}
+
+my $crt;
+{
+ local $/;
+ if (open my $fh, "<" . File::Spec->catfile($keyring, 'sender-crl at example.com.pem')) {
+ $crt = <$fh>;
+ close($fh);
+ } else {
+ die("Could not read " . File::Spec->catfile($keyring, 'sender-crl at example.com.pem') . ": $!");
+ }
+}
+
+my %res;
+%res = RT::Crypt::SMIME->GetCertificateInfo(Certificate => $crt);
+
+is ($res{info}[0]{Trust}, 'Signed by trusted CA fake.ca.bestpractical.com (NOTE: Unable to download CRL)', "We attempted to download CRL, but it failed.");
+
+done_testing;
diff --git a/t/crypt/smime/revoked.t b/t/crypt/smime/revoked.t
new file mode 100644
index 0000000000..9f7622041c
--- /dev/null
+++ b/t/crypt/smime/revoked.t
@@ -0,0 +1,74 @@
+use strict;
+use warnings;
+
+use RT::Test::SMIME tests => undef;
+
+my $openssl = RT::Test->find_executable('openssl');
+my $keyring = File::Spec->catfile(RT::Test->temp_directory, "smime" );
+my $ca = RT::Test::find_relocatable_path(qw(data smime keys));
+$ca = File::Spec->catfile($ca, 'revoked-ca.pem');
+
+RT->Config->Set('SMIME', Enable => 1,
+ Passphrase => {'revoked\@example.com' => '123456'},
+ OpenSSL => $openssl,
+ Keyring => $keyring,
+ CAPath => $ca,
+ CheckCRL => 1,
+ CheckOCSP => 1,
+);
+
+RT::Test::SMIME->import_key('revoked at example.com');
+
+
+if (!RT::Crypt::SMIME->SupportsCRLfile) {
+ RT::Test::plan( skip_all => 'This version of openssl does not support the -CRLfile option');
+}
+
+if (!$ENV{RT_TEST_SMIME_REVOCATION}) {
+ RT::Test::plan( skip_all => 'Skipping tests that would download a CRL because RT_TEST_SMIME_REVOCATION environment variable not set to 1');
+}
+
+my $crt;
+{
+ local $/;
+ if (open my $fh, "<" . File::Spec->catfile($keyring, 'revoked at example.com.pem')) {
+ $crt = <$fh>;
+ close($fh);
+ } else {
+ die("Could not read " . File::Spec->catfile($keyring, 'revoked at example.com.pem') . ": $!");
+ }
+}
+
+my %res;
+%res = RT::Crypt::SMIME->GetCertificateInfo(Certificate => $crt);
+is ($res{info}[0]{Trust}, 'REVOKED certificate checked against OCSP URI http://ocsp.digicert.com', 'Trust info indicates revoked certificate using OCSP');
+is ($res{info}[0]{TrustTerse}, 'none (revoked certificate)', 'TrustTerse indicates revoked certificate');
+
+# Now disable OCSP
+RT->Config->Set('SMIME', Enable => 1,
+ Passphrase => {'revoked\@example.com' => '123456'},
+ OpenSSL => $openssl,
+ Keyring => $keyring,
+ CAPath => $ca,
+ CheckCRL => 1,
+ CheckOCSP => 0,
+);
+
+%res = RT::Crypt::SMIME->GetCertificateInfo(Certificate => $crt);
+is ($res{info}[0]{Trust}, 'REVOKED certificate from CA DigiCert SHA2 Secure Server CA', 'Trust info indicates revoked certificate using CRL');
+is ($res{info}[0]{TrustTerse}, 'none (revoked certificate)', 'TrustTerse indicates revoked certificate');
+
+# Disable both OCSP and CRL... cert should verify
+RT->Config->Set('SMIME', Enable => 1,
+ Passphrase => {'revoked\@example.com' => '123456'},
+ OpenSSL => $openssl,
+ Keyring => $keyring,
+ CAPath => $ca,
+ CheckCRL => 0,
+ CheckOSCP => 0,
+);
+%res = RT::Crypt::SMIME->GetCertificateInfo(Certificate => $crt);
+is ($res{info}[0]{Trust}, 'Signed by trusted CA DigiCert SHA2 Secure Server CA');
+is ($res{info}[0]{TrustTerse}, 'full');
+
+done_testing;
diff --git a/t/data/smime/keys/CAWithCRL/cacert.pem b/t/data/smime/keys/CAWithCRL/cacert.pem
new file mode 100644
index 0000000000..4bfda10da0
--- /dev/null
+++ b/t/data/smime/keys/CAWithCRL/cacert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtzCCAp+gAwIBAgIUGoJcpO/tVR5L1ziwAIFJsXipz2wwDQYJKoZIhvcNAQEL
+BQAwajELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDzANBgNVBAcMBk90
+dGF3YTEUMBIGA1UECgwLQlBTIEZha2UgQ0ExIjAgBgNVBAMMGWZha2UuY2EuYmVz
+dHByYWN0aWNhbC5jb20wIBcNMjAxMTA2MjAyMzUyWhgPMjE1NzA5MjkyMDIzNTJa
+MGoxCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMQ8wDQYDVQQHDAZPdHRh
+d2ExFDASBgNVBAoMC0JQUyBGYWtlIENBMSIwIAYDVQQDDBlmYWtlLmNhLmJlc3Rw
+cmFjdGljYWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6lmS
+x/a8PP4K+KQyMDOpHDRBEYj30dyQFDjfWUc/W00R3eF/mXlq5Ox9XSiI/xzeayfl
+5Ekkh0BZfURprLHrsiApfhVxq4NykUVDE0KQqU3Syj+TI5v5E+2e1c9FTzq5aezr
+i5RSsC+PAmiCXUnJudzIxNNwzvW+Xr0a7MGjrLXCh0LMlj0n7v1BaPF0dnumGxEN
+F2PQJF7WeaTPrjeBljyhpEykWNM3T98gc8XuBZjv34gCywb+ssoEBCSezPvDLXIz
+8nHfhkmYa1wQvkylHCEb15ouZUgKfdvmDEq7VsS/sKrF50PYGMWf16oJfS0b3uO8
+WYPpOCRYCFPao+kEuQIDAQABo1MwUTAdBgNVHQ4EFgQUQtf+J+O47jZTXoE6R0BX
+dSy8pjAwHwYDVR0jBBgwFoAUQtf+J+O47jZTXoE6R0BXdSy8pjAwDwYDVR0TAQH/
+BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEA0IBnMZ3Ybd1dy6rJTOcrtoYkwlFZ
+97KFR0oE3tDaPy5xoVwbHkqJfqXTOorgQqz39pNFJxZlVmfY90U6QDdc+Y1EfmOL
+t8VNZpaATLRTPKt/DCAL19XMQtXdP8A9hSUIY+Y4UUDRTX0AmIvxKGRzo4wImr6B
+ccwNxf3eldc6dqGUrQxLh2CWNT3K4a5Vr/2OwVkXiydFVJ2IrVvdGrahWOLPmgZm
+0XGCLne5AKTF8AtZBSQGY/8dEN8GKuZnclMwRkesR0AKKUf9M810pF3Y3cRfL7lG
+SuQ7iWAPTYSal+1U3M/kVDKCpO5h8I3p5BbXXiLb1VRrcnsz7teAPOV+KA==
+-----END CERTIFICATE-----
diff --git a/t/data/smime/keys/CAWithCRL/mycrl.cnf b/t/data/smime/keys/CAWithCRL/mycrl.cnf
new file mode 100644
index 0000000000..42ed83f5fc
--- /dev/null
+++ b/t/data/smime/keys/CAWithCRL/mycrl.cnf
@@ -0,0 +1 @@
+crlDistributionPoints=URI:http://this.will.never.resolve.example.com/crl.pem
diff --git a/t/data/smime/keys/CAWithCRL/private/cakey.pem b/t/data/smime/keys/CAWithCRL/private/cakey.pem
new file mode 100644
index 0000000000..1ea3e190a4
--- /dev/null
+++ b/t/data/smime/keys/CAWithCRL/private/cakey.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,DFE7DF2B024DBCCD
+
+RcYxRMyOV5shmvveckaen26WWduuBZpG4ECMZ/v4Psbl0iKuFgCJ+wlgHkjjgtcs
+QjLWtcQ7SPW8Qed/hd4kNS6I8MHrTeJZu4zt5GOYMQmBPT+drWfWV9GeasMlezeD
+8PEjR8lkN0zxp2pbCWNP2150lEtcRVwJI3XlBabhijkhWg5+Jm6y6Iw7reFcaH1P
+JDdmhyHto4eZk4Q6hMsccc9vfVUIDY/S2bdRbo+uWZex0pvUJr1tjrOxshH47bv1
+cAYf5MqpBJP1LU4aO6xudWV+ZJC/Mdh8kH6XeCQyCnyMIKXJz9EL5FuUNW0yo7pC
+oqqJbWchw1BM8Ll5lZDA0epJlnCY3/1VjBag81afIsLNXaKhQw39GatOfkoIIodr
+1AUzT8nlTijq/FU3qsmLkrbVA6x1+7C1vuAfCOi5nOPI04BrRinAqN7usP/a2maO
+9L6q9HWjDQcODoy0frGrbmyLiGNH7fhSqA9s8pf9aZqoz9PmHApMGTwr0i5mNnWK
+552NIOVSyHYdu/teFLZs8XMFR9P2qq47Lsgcw3djBh14HQC29FWMZGcyuwzl9ZbG
+anIAitGU9b0cEstpw4wr7Dtdnk+eU+J89uF2G8iU0R3j+9f0icOpwUl2TlHNHgXN
+C29Ur+zAXJ92Bs7q1grdbYSA2zkQaZ+wnFmZ9FwAhSqljXqaKoIqd4hOJ6Hxk4kw
+dnFfskO+4iWbfXofCp4tmTv5MO5o+ts2S5HAAW+QM9Sy4OHWpk5PptIfzf7o22M7
+AJGYbamTDr90D5K05k3OHFCQezX1faMrs758CG8wduQ/qTF0PgeCOg/0Zi7UmRd4
+75rmTTxYGCO6kyDqs+MK2ZsxDkhjV2USer0OLLIlq4oC25vWihcJ/DjD1C+HCCJ1
+j38XyqvrPuG0KYqoh7CwDtrG4hgBvs7k5B1XM1yqZ3HQWzPV3JpFor4do1hP52Qq
+NBMqP2q8GjkHBll2MzXcJNYWOmAtu4C8mVYPO/3P2Nr/XMMKwXNjFYsSxSDMTzC/
+Jb2GwCPPot1HjV3KQTFfNMSKfpQ1P6PL05JVFQzgRu7hjERrjbkZo/PiVevmtpBF
+PfI5f5d/rMDAvXvypc4cAyqDCzC4LMhznx92gX3wYnVCj7BOBcruzAfOiosay5Gg
+UIsClja/CphTmYFVe2FOgLKbRbIDYsMpvgD7HcmlS0GKjnbbnV0YtVDKEd8UO23x
+jfRtKDRIARVCnh95H9FSUy+TQj5jejvTVVCzohcJOY6PFmjR9QsxtwXwdRmgBW8h
+yuw2f2SJtTVtQsJM9xtWzZPy+5M3kGRcoJc+th/NuzlO34J2wLbbiROi+mg2UGwK
+KXRNWtY1AjG+JjRJTmSKnek7Am7zElAk9WEhuXaRhL1N51Fj3A82JekEOAoyUYyd
+XRAgy4vn4y8tzc5H5T7PDSeOdNq+7Ez4sl1D2/WeVwQ0aKCOs6GV9yen3bloyBQ3
+ybsI3tSI7s8rKkBq0BZjMbUeMi4SnmG8Ro1l9pTScVTXcmAgg2QaLGSxBlzQdPBY
+ZaGWhvJwNf4zaUIcceMk/q276zlGtssQuiHx7IOwAgB9uqmoh9TLCA==
+-----END RSA PRIVATE KEY-----
diff --git a/t/data/smime/keys/revoked-ca.pem b/t/data/smime/keys/revoked-ca.pem
new file mode 100644
index 0000000000..dcf27d9a5f
--- /dev/null
+++ b/t/data/smime/keys/revoked-ca.pem
@@ -0,0 +1,49 @@
+-----BEGIN CERTIFICATE-----
+MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
+QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
+U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
+nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
+KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f
+/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX
+kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0
+/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C
+AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
+aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6
+Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1
+oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
+QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
+d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh
+xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
+CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
+5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
+8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
+2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
+c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
+j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
+QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
+b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
+CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
+nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
+43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
+T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
+gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
+BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
+TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
+DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
+hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
+06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
+PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
+YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
+CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
+-----END CERTIFICATE-----
diff --git a/t/data/smime/keys/revoked at example.com.pem b/t/data/smime/keys/revoked at example.com.pem
new file mode 100644
index 0000000000..7c96dc9d6e
--- /dev/null
+++ b/t/data/smime/keys/revoked at example.com.pem
@@ -0,0 +1,39 @@
+-----BEGIN CERTIFICATE-----
+MIIGvzCCBaegAwIBAgIQA3G1iob2zpw+y3v0L5II/DANBgkqhkiG9w0BAQsFADBN
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
+aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTkxMDA0MDAwMDAwWhcN
+MjExMDA4MTIwMDAwWjB0MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
+YTEVMBMGA1UEBxMMV2FsbnV0IENyZWVrMRwwGgYDVQQKExNMdWNhcyBHYXJyb24g
+VG9ycmVzMRswGQYDVQQDExJyZXZva2VkLmJhZHNzbC5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC0Ljkn9nZW+vmCL6At8tAyGZlV3IlElvdzI6/3
+pF4+dL9Zec1fC+eP+wMZv4+eY9L/Anx2/hbpAvyGkF+YXNaaui6V6NilxfScnae5
+3rhKcWL9Kih9Aq9G1g0dcWHZTNuXFQA09FOBvI6UOd7YvkJ/JOoCU8ZbgD4RLtLZ
+C20Yhqwh1nfZSKlPo1sd86U2ZNZNH0a38zUQ9XtFOt2kGNu9o07DEJsZhOWWlZtd
+51ZyqyeFaRTc4V42zWnKc8CCB338fo0u+8vJeS6XNkMPFpRFDr3TCWvZ4AP+KgAQ
+m5c48FMRXo165qG+LjKp/2NPoMbqNbhZ5KtDokjAGggRvmzDAgMBAAGjggNyMIID
+bjAfBgNVHSMEGDAWgBQPgGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQUOE25
+xq19bGjCX3XXG27LpumeOq0wNQYDVR0RBC4wLIIScmV2b2tlZC5iYWRzc2wuY29t
+ghZ3d3cucmV2b2tlZC5iYWRzc2wuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE
+FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAvoC2gK4YpaHR0cDov
+L2NybDMuZGlnaWNlcnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwL6AtoCuGKWh0dHA6
+Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLXNoYTItZzYuY3JsMEwGA1UdIARFMEMw
+NwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0
+LmNvbS9DUFMwCAYGZ4EMAQIDMHwGCCsGAQUFBwEBBHAwbjAkBggrBgEFBQcwAYYY
+aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEYGCCsGAQUFBzAChjpodHRwOi8vY2Fj
+ZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEyU2VjdXJlU2VydmVyQ0EuY3J0
+MAwGA1UdEwEB/wQCMAAwggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB1AKS5CZC0
+GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABbZjwwc8AAAQDAEYwRAIgWPi8
+7t5MzJnvLDJGmCppeQwyHa1VkvAG811Mg19KbcsCIDpbsejn8Feo/pD1g3xUHm9y
+2a5K3ZT2qOI+FfwaNcm7AHYAh3W/51l8+IxDmV+9827/Vo1HVjb/SrVgwbTq/16g
+gw8AAAFtmPDCOgAABAMARzBFAiEAmciNTmK3x9F52b+jyQonojj5PR3UTX7I1EY2
+yrbyDVsCIDhrUCuwgpjKzdEkKXC8pTrPT750awtW28nCTZLaCVb1AHYARJRlLrDu
+zq/EQAfYqP4owNrmgr7YyzG1P9MzlrW2gagAAAFtmPDBQQAABAMARzBFAiEAwXnV
+kwbWLzukEmOVbs8IQHiQaERcC3RD7IrKHt4dUvMCIFfUv6IL18E/ROuuFQYDwZrv
+DpbCjJdvFw9Cb++GhzzBMA0GCSqGSIb3DQEBCwUAA4IBAQAXzncD0qMluMFZDLOx
+Pzev4B56a0EW7X5YJnyy32UVms+VAp5TDDN1kAxmphecVWRc5DpEn+acXM3hHzx0
+hBfbYYpAANy96MRgGg3qYIN14OV8QzGIIxCRVDzH3f7kQR1bgZvCQC6fs3JnRJ8l
+OhCFNnktylrwV1p48DxxBULjI1oYtXKikEdxs7ZgulOIoVFCSPtzF+MeSwyqYv8I
+OCMAvbctgnsuo0eekLyVlJOTe7Cw+hjz5nYX5yCc2wFu0vlL0kw8d6DaS1isZBZ5
+p7fCfVZfW4WLJdgxYgATKoTkxVFpcTOr4TodGE3G8fOu6G/BknS9r3g5pLpWaNc6
+NtqK
+-----END CERTIFICATE-----
diff --git a/t/data/smime/keys/sender-crl at example.com.key b/t/data/smime/keys/sender-crl at example.com.key
new file mode 100644
index 0000000000..1ea3e190a4
--- /dev/null
+++ b/t/data/smime/keys/sender-crl at example.com.key
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,DFE7DF2B024DBCCD
+
+RcYxRMyOV5shmvveckaen26WWduuBZpG4ECMZ/v4Psbl0iKuFgCJ+wlgHkjjgtcs
+QjLWtcQ7SPW8Qed/hd4kNS6I8MHrTeJZu4zt5GOYMQmBPT+drWfWV9GeasMlezeD
+8PEjR8lkN0zxp2pbCWNP2150lEtcRVwJI3XlBabhijkhWg5+Jm6y6Iw7reFcaH1P
+JDdmhyHto4eZk4Q6hMsccc9vfVUIDY/S2bdRbo+uWZex0pvUJr1tjrOxshH47bv1
+cAYf5MqpBJP1LU4aO6xudWV+ZJC/Mdh8kH6XeCQyCnyMIKXJz9EL5FuUNW0yo7pC
+oqqJbWchw1BM8Ll5lZDA0epJlnCY3/1VjBag81afIsLNXaKhQw39GatOfkoIIodr
+1AUzT8nlTijq/FU3qsmLkrbVA6x1+7C1vuAfCOi5nOPI04BrRinAqN7usP/a2maO
+9L6q9HWjDQcODoy0frGrbmyLiGNH7fhSqA9s8pf9aZqoz9PmHApMGTwr0i5mNnWK
+552NIOVSyHYdu/teFLZs8XMFR9P2qq47Lsgcw3djBh14HQC29FWMZGcyuwzl9ZbG
+anIAitGU9b0cEstpw4wr7Dtdnk+eU+J89uF2G8iU0R3j+9f0icOpwUl2TlHNHgXN
+C29Ur+zAXJ92Bs7q1grdbYSA2zkQaZ+wnFmZ9FwAhSqljXqaKoIqd4hOJ6Hxk4kw
+dnFfskO+4iWbfXofCp4tmTv5MO5o+ts2S5HAAW+QM9Sy4OHWpk5PptIfzf7o22M7
+AJGYbamTDr90D5K05k3OHFCQezX1faMrs758CG8wduQ/qTF0PgeCOg/0Zi7UmRd4
+75rmTTxYGCO6kyDqs+MK2ZsxDkhjV2USer0OLLIlq4oC25vWihcJ/DjD1C+HCCJ1
+j38XyqvrPuG0KYqoh7CwDtrG4hgBvs7k5B1XM1yqZ3HQWzPV3JpFor4do1hP52Qq
+NBMqP2q8GjkHBll2MzXcJNYWOmAtu4C8mVYPO/3P2Nr/XMMKwXNjFYsSxSDMTzC/
+Jb2GwCPPot1HjV3KQTFfNMSKfpQ1P6PL05JVFQzgRu7hjERrjbkZo/PiVevmtpBF
+PfI5f5d/rMDAvXvypc4cAyqDCzC4LMhznx92gX3wYnVCj7BOBcruzAfOiosay5Gg
+UIsClja/CphTmYFVe2FOgLKbRbIDYsMpvgD7HcmlS0GKjnbbnV0YtVDKEd8UO23x
+jfRtKDRIARVCnh95H9FSUy+TQj5jejvTVVCzohcJOY6PFmjR9QsxtwXwdRmgBW8h
+yuw2f2SJtTVtQsJM9xtWzZPy+5M3kGRcoJc+th/NuzlO34J2wLbbiROi+mg2UGwK
+KXRNWtY1AjG+JjRJTmSKnek7Am7zElAk9WEhuXaRhL1N51Fj3A82JekEOAoyUYyd
+XRAgy4vn4y8tzc5H5T7PDSeOdNq+7Ez4sl1D2/WeVwQ0aKCOs6GV9yen3bloyBQ3
+ybsI3tSI7s8rKkBq0BZjMbUeMi4SnmG8Ro1l9pTScVTXcmAgg2QaLGSxBlzQdPBY
+ZaGWhvJwNf4zaUIcceMk/q276zlGtssQuiHx7IOwAgB9uqmoh9TLCA==
+-----END RSA PRIVATE KEY-----
diff --git a/t/data/smime/keys/sender-crl at example.com.pem b/t/data/smime/keys/sender-crl at example.com.pem
new file mode 100644
index 0000000000..f56f120a52
--- /dev/null
+++ b/t/data/smime/keys/sender-crl at example.com.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDyTCCArGgAwIBAgIUXlUIAltyUt+LwI8Ef1RQdGkM4p4wDQYJKoZIhvcNAQEL
+BQAwajELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB09udGFyaW8xDzANBgNVBAcMBk90
+dGF3YTEUMBIGA1UECgwLQlBTIEZha2UgQ0ExIjAgBgNVBAMMGWZha2UuY2EuYmVz
+dHByYWN0aWNhbC5jb20wIBcNMjAxMTA2MjAyNjQxWhgPMjE1NzA5MjkyMDI2NDFa
+MIGHMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGT3R0
+YXdhMQ0wCwYDVQQKDARCbGFoMR8wHQYDVQQDDBZzZW5kZXItY3JsQGV4YW1wbGUu
+Y29tMSUwIwYJKoZIhvcNAQkBFhZzZW5kZXItY3JsQGV4YW1wbGUuY29tMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6lmSx/a8PP4K+KQyMDOpHDRBEYj3
+0dyQFDjfWUc/W00R3eF/mXlq5Ox9XSiI/xzeayfl5Ekkh0BZfURprLHrsiApfhVx
+q4NykUVDE0KQqU3Syj+TI5v5E+2e1c9FTzq5aezri5RSsC+PAmiCXUnJudzIxNNw
+zvW+Xr0a7MGjrLXCh0LMlj0n7v1BaPF0dnumGxENF2PQJF7WeaTPrjeBljyhpEyk
+WNM3T98gc8XuBZjv34gCywb+ssoEBCSezPvDLXIz8nHfhkmYa1wQvkylHCEb15ou
+ZUgKfdvmDEq7VsS/sKrF50PYGMWf16oJfS0b3uO8WYPpOCRYCFPao+kEuQIDAQAB
+o0cwRTBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vdGhpcy53aWxsLm5ldmVyLnJl
+c29sdmUuZXhhbXBsZS5jb20vY3JsLnBlbTANBgkqhkiG9w0BAQsFAAOCAQEAbFB1
+j2lYHEiyDXfH4FRtGq32O+7dYs/5vG0qHrbSYJ9PvjU7FMgs1nk20drE01rtXEvT
+C3BNFR3Uu+YY+UgC+ZRt/zzldw1YqKNFSZVYfdxejIVQzPhu2wOmrcVlarSwjTe7
+xzzOzQEz1U2kbt10Hj8iEiXyPcWjjst3YiRMY5qy40WG8NMqLFsbMcTtzgnLwvgz
+BFZXliS+Zamq79UBZ7kD6Sgn7BIY+4xSC/4BXa5548nTRcNKw+QZQt+b5E/EhXhh
+JLbhC/m4v+k375dLUBgcvlOTOuCyKKPWNGncxFV94FAWFJqSrCcUuhlv63evJIza
+wzgi7xMBojp3wGZ9pA==
+-----END CERTIFICATE-----
commit fed93849071b9460953c36d7f2a6d74f2588c953
Merge: 6a8ea9f51a 2043c8a45e
Author: sunnavy <sunnavy at bestpractical.com>
Date: Tue Nov 24 06:41:03 2020 +0800
Merge branch '4.4/support-openssl-crl-check' into 4.4-trunk
-----------------------------------------------------------------------
More information about the rt-commit
mailing list