mirror of
https://github.com/rsyslog/rsyslog.git
synced 2026-06-19 19:52:55 +02:00
9886acbdfd
GnuTLS silently ignores expired CRLs -- it loads them into credentials without checking the validity period. This means rsyslog kept accepting TLS connections even when the configured CRL file had expired, unlike the OpenSSL driver which rejects them via X509_V_ERR_CRL_HAS_EXPIRED in the verify callback. Fix this by manually checking the CRL thisUpdate/nextUpdate timestamps when loading the CRL file. The file is loaded once, validated, then passed to credentials via gnutls_certificate_set_x509_crl_mem(). The nextUpdate timestamp is also cached on the connection object so that each TLS handshake can cheaply detect if the CRL has expired since startup, matching OpenSSL's per-connection behavior. Add CRL tests for both GnuTLS and OpenSSL drivers, each with two phases: valid CRL (communication succeeds) and expired CRL (connection rejected, no messages received). Includes a pre-generated expired CRL test fixture.