What is CLR info verification? Do you mean CRL?

I don't understand the need for skipping verification. It seems like skipping any validation is a bad idea, even if optional.

What is CLR info verification? Do you mean CRL?

I don't understand the need for skipping verification. It seems like skipping any validation is a bad idea, even if optional.

It can help in certain use cases for example when CRL support is not implemented yet by custom CA.
I agree that by default the flag state should be 0(enable all checks), however it would be great to allow admins/users to customize this based on the needs

Are you seeing a specific error?

certmonger isn't enabling CRL checking in the store at all. e.g it has no call like X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);

Yeah, I assume by passing flag=0 to openssl here - https://github.com/openssl/openssl/blob/master/crypto/pkcs7/pk7_smime.c#L215 enables strict verification of certs chain

Regarding the error, openssl spits out a generic error for my case - "error:10800075:PKCS7 routines::certificate verify error". I checked the behavior with another open source solution for scep(it also uses openssl under the hood) and was able to workaround the problem by disabling CRL verification

I think that enhancement request can also be beneficial for users and admins to troubleshoot cert chain verification issues. List of openssl flags can be found here - https://github.com/OneSignal/openssl/blob/main/include/openssl/pkcs7.h#L171

Sorry, lost track of this.

So you had a revoked certificate in the chain?

My fear is that folks could enable something like this for debugging, or to simply avoid the overhead of PKI, and no validation would be done at all.