Support multiple CRLs with multiple CRLs

[ghost]

I have a root CA and multiple subCAs. The server must gather the CRLs from the subCAs and put it in a single file. This works fine on other servers (Apache) but whenever I try to load it in mosquitto 1.6.7 (under Debian Buster) it just stops the process without any output.

1570004494: mosquitto version 1.6.7 starting
1570004494: Config loaded from /etc/mosquitto/mosquitto.conf.
1570004494: Opening ipv4 listen socket on port 1883.
1570004494: Opening ipv6 listen socket on port 1883.
1570004494: Error: Unable to load certificate revocation file "/etc/mosquitto/all.crl.pem". Check crlfile.
1570004494: Error: Protocol not available

What is the correct way to have the CRLs for all subCAs?

[ghost]

Seems like X509_load_cert_file will return a 1 when one CRL was loaded and 2 when two was loaded and so on. And it seems like mosquitto only allows 1 certificate to be loaded in net__load_crl_file (because it checks directly for 1):

So maybe a solution would be:

diff --git a/src/net.c b/src/net.c
index 392972f..cc115e5 100644
--- a/src/net.c
+++ b/src/net.c
@@ -426,7 +426,7 @@ int net__load_crl_file(struct mosquitto__listener *listener)
 	}
 	lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
 	rc = X509_load_crl_file(lookup, listener->crlfile, X509_FILETYPE_PEM);
-	if(rc != 1){
+	if(rc < 1){
 		log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load certificate revocation file \"%s\". Check crlfile.", listener->crlfile);
 		net__print_error(MOSQ_LOG_ERR, "Error: %s");
 		return 1;

[ralight]

Thank you, that does seem like the best solution. I've pushed the change to the fixes branch.