On Wed, Nov 09, 2005, david kine wrote: > I have a secure client application that loads a pkcs12 > file containing client cert, client key, and trusted > root CA's. It works perfectly, connecting only to > servers signed by the trusted CA's. > > However, when I load a single CRL file, then all > connections fail: > > "unable to get certificate CRL" > "SSL_connect error 1, > error:00000001:lib(0):func(0):reason(1)" > "SSL error: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate > verify failed" > > The certificates are generated with CA.pl, and the CRL > with openssl CA utilities. > > The code to load the CRL (with error checking removed > here), assuming pSSL_CTX is the SSL context and > file.crl is the CRL file: > > ----- > > X509_STORE *pStore = SSL_CTX_get_cert_store( pSSL_CTX > ); > > X509_LOOKUP *pLookup = X509_STORE_add_lookup( > pStore, X509_LOOKUP_file() > ); > > X509_load_crl_file( pLookup, "file.crl", > X509_FILETYPE_ASN1) > > X509_STORE_set_flags( > pStore, X509_V_FLAG_CRL_CHECK | > X509_V_FLAG_CRL_CHECK_ALL > ); > > ---- > > Am I missing a step or doing something incorrectly? > > I am running OpenSSL 0.9.7d 17 Mar 2004 on Solaris 10 > (Sparc). >
If you set the option X509_V_FLAG_CRL_CHECK it only has to check the end entity certificate (server of client) against a CRL. If you set X509_V_FLAG_CRL_CHECK_ALL as well (as you've done above) you need CRLs for the complete chain. So my guess is there's a certificate in the chain which doesn't have a corresponding CRL. Also check the return value of X509_load_crl_file() to see if its loaded correctly. BTW the option above would load a DER (binary) format CRL whereas the default output of -gencrl is PEM. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]