Index: b/src/crlcache.c =================================================================== --- b/src/crlcache.c +++ b/src/crlcache.c @@ -2159,8 +2159,45 @@ /* Check whether we already have an entry for this issuer and mark it as deleted. We better use a loop, just in case duplicates got somehow into the list. */ - for (e = cache->entries; (e=find_entry (e, entry->issuer_hash)); e = e->next) - e->deleted = 1; + { + int ignore_crl = 0; + for (e = cache->entries; (e=find_entry (e, entry->issuer_hash)); + e = e->next) + { + /* Don't ovewrite old CRL having greather crl_number by new CRL with + * lesser clr_number. E.g. Some DP names are not synchronized + * properly. */ + if (!ignore_crl && entry->crl_number && e->crl_number && + strcmp(entry->crl_number, e->crl_number) < 0) + { + log_info ("new CRL has lesser number (0x%s) than CRL stored " + "in cache already (0x%s), ignoring new one\n", + entry->crl_number, e->crl_number); + ignore_crl = 1; + /* Mask this problem from caller if in-cache CRL is still usable */ + get_isotime (current_time); + if (e->invalid || strcmp (e->next_update, current_time) < 0) + { + if (!err2) + err2 = gpg_error (GPG_ERR_CRL_TOO_OLD); + if (opt.verbose) + log_info ("this fact will be still reported as error " + "because no other usable CRL is available\n"); + } + else + { + err2 = 0; + if (opt.verbose) + log_info ("this fact will be masked because another " + "usable CRL is available\n"); + } + } + else + e->deleted = 1; + } + if (ignore_crl) + goto leave; + } /* Rename the temporary DB to the real name. */ newfname = make_db_file_name (entry->issuer_hash);