I tried your suggestion to set only X509_V_FLAG_CRL_CHECK, but unfortunately it did not help. Attempting to connect to ANY secure server still causes the same "unable to get certificate CRL" error.
I know that the CRL is loaded successfully, because I can later extract it from the SSL_CTX and print its issuer using X509_NAME_oneline( X509_CRL_get_issuer() ). (The original PEM CRL was converted to DER as you noticed). I tried an experiment where I do NOT load the CRL, but I DO set the X509_V_FLAG_CRL_CHECK flag. The same error occurs: cannot connect to any secure server, with the "unable to get certificate CRL" message. Perhaps this is a clue. To summarize, my program works perfectly unless I set the X509_V_FLAG_CRL_CHECK flag, whether or not I add a CRL using X509_load_crl_file(). -David --- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote: > On Wed, Nov 09, 2005, david kine wrote: > > > I have a secure client application that loads a > pkcs12 > > file containing client cert, client key, and > trusted > > root CA's. It works perfectly, connecting only to > > servers signed by the trusted CA's. > > > > However, when I load a single CRL file, then all > > connections fail: > > > > "unable to get certificate CRL" > > "SSL_connect error 1, > > error:00000001:lib(0):func(0):reason(1)" > > "SSL error: error:14090086:SSL > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate > > verify failed" > > > > The certificates are generated with CA.pl, and the > CRL > > with openssl CA utilities. > > > > The code to load the CRL (with error checking > removed > > here), assuming pSSL_CTX is the SSL context and > > file.crl is the CRL file: > > > > ----- > > > > X509_STORE *pStore = SSL_CTX_get_cert_store( > pSSL_CTX > > ); > > > > X509_LOOKUP *pLookup = X509_STORE_add_lookup( > > pStore, X509_LOOKUP_file() > > ); > > > > X509_load_crl_file( pLookup, "file.crl", > > X509_FILETYPE_ASN1) > > > > X509_STORE_set_flags( > > pStore, X509_V_FLAG_CRL_CHECK | > > X509_V_FLAG_CRL_CHECK_ALL > > ); > > > > ---- > > > > Am I missing a step or doing something > incorrectly? > > > > I am running OpenSSL 0.9.7d 17 Mar 2004 on Solaris > 10 > > (Sparc). > > > > If you set the option X509_V_FLAG_CRL_CHECK it only > has to check the end > entity certificate (server of client) against a CRL. > If you set > X509_V_FLAG_CRL_CHECK_ALL as well (as you've done > above) you need CRLs for the > complete chain. > > So my guess is there's a certificate in the chain > which doesn't have a > corresponding CRL. > > Also check the return value of X509_load_crl_file() > to see if its loaded > correctly. > > BTW the option above would load a DER (binary) > format CRL whereas the default > output of -gencrl is PEM. > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: > see homepage > OpenSSL project core developer and freelance > consultant. > Funding needed! Details on homepage. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project > http://www.openssl.org > User Support Mailing List > openssl-users@openssl.org > Automated List Manager > [EMAIL PROTECTED] > __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]