From d91c77f6335f36faf5ba8082ea2820e0d2540427 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 5 Nov 2024 13:05:19 +0100
Subject: [PATCH] firmware: stale CRL index if hosts changed

---
 .../scripts/system/update-crl-fetch.py         | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/opnsense/scripts/system/update-crl-fetch.py b/src/opnsense/scripts/system/update-crl-fetch.py
index 53fef42f3..919a763aa 100755
--- a/src/opnsense/scripts/system/update-crl-fetch.py
+++ b/src/opnsense/scripts/system/update-crl-fetch.py
@@ -68,14 +68,30 @@ def main(domains, target, lifetime):
     crl_index = target + 'index'
     crl_bundle = []
 
+    domains = sorted(set(domains))
+    current = ",".join(domains)
+
+    # assume we run under a firmware lock
     if os.path.isfile(crl_index):
+        crl_stale = False
+
+        with open(crl_index, "r") as idx:
+            if idx.readline().strip('\n') != current:
+                crl_stale = True
+
         fstat = os.stat(crl_index)
-        if (time.time() - fstat.st_mtime) < lifetime and fstat.st_size > 0:
+        if (time.time() - fstat.st_mtime) >= lifetime and fstat.st_size > 0:
+            crl_stale = True
+
+        if not crl_stale:
             # failure means do not rehash now
             exit(1)
+
         os.unlink(crl_index)
 
     with open(crl_index, 'a+') as sys.stdout:
+        print(current);
+
         for fetched in fetch_certs(domains):
             try:
                 dp_uri = None