Re: Loading CRL's into client application
I tried your suggestion to set only X509_V_FLAG_CRL_CHECK, but unfortunately it did not help. Attempting to connect to ANY secure server still causes the same unable to get certificate CRL error. I know that the CRL is loaded successfully, because I can later extract it from the SSL_CTX and print its issuer using X509_NAME_oneline( X509_CRL_get_issuer() ). (The original PEM CRL was converted to DER as you noticed). I tried an experiment where I do NOT load the CRL, but I DO set the X509_V_FLAG_CRL_CHECK flag. The same error occurs: cannot connect to any secure server, with the unable to get certificate CRL message. Perhaps this is a clue. To summarize, my program works perfectly unless I set the X509_V_FLAG_CRL_CHECK flag, whether or not I add a CRL using X509_load_crl_file(). -David --- Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Wed, Nov 09, 2005, david kine wrote: I have a secure client application that loads a pkcs12 file containing client cert, client key, and trusted root CA's. It works perfectly, connecting only to servers signed by the trusted CA's. However, when I load a single CRL file, then all connections fail: unable to get certificate CRL SSL_connect error 1, error:0001:lib(0):func(0):reason(1) SSL error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed The certificates are generated with CA.pl, and the CRL with openssl CA utilities. The code to load the CRL (with error checking removed here), assuming pSSL_CTX is the SSL context and file.crl is the CRL file: - X509_STORE *pStore = SSL_CTX_get_cert_store( pSSL_CTX ); X509_LOOKUP *pLookup = X509_STORE_add_lookup( pStore, X509_LOOKUP_file() ); X509_load_crl_file( pLookup, file.crl, X509_FILETYPE_ASN1) X509_STORE_set_flags( pStore, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL ); Am I missing a step or doing something incorrectly? I am running OpenSSL 0.9.7d 17 Mar 2004 on Solaris 10 (Sparc). If you set the option X509_V_FLAG_CRL_CHECK it only has to check the end entity certificate (server of client) against a CRL. If you set X509_V_FLAG_CRL_CHECK_ALL as well (as you've done above) you need CRLs for the complete chain. So my guess is there's a certificate in the chain which doesn't have a corresponding CRL. Also check the return value of X509_load_crl_file() to see if its loaded correctly. BTW the option above would load a DER (binary) format CRL whereas the default output of -gencrl is PEM. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Loading CRL's into client application
On Thu, Nov 10, 2005, david kine wrote: I tried your suggestion to set only X509_V_FLAG_CRL_CHECK, but unfortunately it did not help. Attempting to connect to ANY secure server still causes the same unable to get certificate CRL error. I know that the CRL is loaded successfully, because I can later extract it from the SSL_CTX and print its issuer using X509_NAME_oneline( X509_CRL_get_issuer() ). (The original PEM CRL was converted to DER as you noticed). I tried an experiment where I do NOT load the CRL, but I DO set the X509_V_FLAG_CRL_CHECK flag. The same error occurs: cannot connect to any secure server, with the unable to get certificate CRL message. Perhaps this is a clue. To summarize, my program works perfectly unless I set the X509_V_FLAG_CRL_CHECK flag, whether or not I add a CRL using X509_load_crl_file(). Does the CRL cover the server certificate in question? I'd suggest extracting a server chain using the -showcerts option to s_client. The pass the chain to openssl verify, include the CRL and see if you can get the crl_check option to work with that. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Loading CRL's into client application
Okay, I solved this problem in a very unexpected way. First of all, I was using s_server incorrectly. I neglected to add -CAfile. Doing so caused my application to get the error 23: certificate revoked as expected. However, accessing servers which were NOT revoked still produced the error 3: unable to get certificate CRL. I solved this problem in my SSL verify callback function by checking for error == 3, and returning true. In other words, by simply ignoring the error! Thanks for all the help, -David --- Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Thu, Nov 10, 2005, david kine wrote: I tried your suggestion to set only X509_V_FLAG_CRL_CHECK, but unfortunately it did not help. Attempting to connect to ANY secure server still causes the same unable to get certificate CRL error. I know that the CRL is loaded successfully, because I can later extract it from the SSL_CTX and print its issuer using X509_NAME_oneline( X509_CRL_get_issuer() ). (The original PEM CRL was converted to DER as you noticed). I tried an experiment where I do NOT load the CRL, but I DO set the X509_V_FLAG_CRL_CHECK flag. The same error occurs: cannot connect to any secure server, with the unable to get certificate CRL message. Perhaps this is a clue. To summarize, my program works perfectly unless I set the X509_V_FLAG_CRL_CHECK flag, whether or not I add a CRL using X509_load_crl_file(). Does the CRL cover the server certificate in question? I'd suggest extracting a server chain using the -showcerts option to s_client. The pass the chain to openssl verify, include the CRL and see if you can get the crl_check option to work with that. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Start your day with Yahoo! - Make it your home page! http://www.yahoo.com/r/hs __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Loading CRL's into client application
On Thu, Nov 10, 2005, david kine wrote: Okay, I solved this problem in a very unexpected way. First of all, I was using s_server incorrectly. I neglected to add -CAfile. Doing so caused my application to get the error 23: certificate revoked as expected. However, accessing servers which were NOT revoked still produced the error 3: unable to get certificate CRL. I solved this problem in my SSL verify callback function by checking for error == 3, and returning true. In other words, by simply ignoring the error! That would mean that a certificate which you didn't have a valid CRL for would be regarded as valid so its not a good idea. Some older versions of OpenSSL didn't process the CRL_CHECK_ALL flag correctly so I'd suggest trying a newer version. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Loading CRL's into client application
On Wed, Nov 09, 2005, david kine wrote: I have a secure client application that loads a pkcs12 file containing client cert, client key, and trusted root CA's. It works perfectly, connecting only to servers signed by the trusted CA's. However, when I load a single CRL file, then all connections fail: unable to get certificate CRL SSL_connect error 1, error:0001:lib(0):func(0):reason(1) SSL error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed The certificates are generated with CA.pl, and the CRL with openssl CA utilities. The code to load the CRL (with error checking removed here), assuming pSSL_CTX is the SSL context and file.crl is the CRL file: - X509_STORE *pStore = SSL_CTX_get_cert_store( pSSL_CTX ); X509_LOOKUP *pLookup = X509_STORE_add_lookup( pStore, X509_LOOKUP_file() ); X509_load_crl_file( pLookup, file.crl, X509_FILETYPE_ASN1) X509_STORE_set_flags( pStore, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL ); Am I missing a step or doing something incorrectly? I am running OpenSSL 0.9.7d 17 Mar 2004 on Solaris 10 (Sparc). If you set the option X509_V_FLAG_CRL_CHECK it only has to check the end entity certificate (server of client) against a CRL. If you set X509_V_FLAG_CRL_CHECK_ALL as well (as you've done above) you need CRLs for the complete chain. So my guess is there's a certificate in the chain which doesn't have a corresponding CRL. Also check the return value of X509_load_crl_file() to see if its loaded correctly. BTW the option above would load a DER (binary) format CRL whereas the default output of -gencrl is PEM. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]