Petar,
Petar Popara wrote:
If that's not it, then you will need to step through the code in the CRL
cache. Assuming you are using NSS 3.10 (NSS_3_10_RTM) I suggest you start
with DPCache_FetchFromTokens and find out if the CRL is found during the
verification.
I have downloaded NSS 3.10 precompiled debug binaries for Windows (VC6
compiler). By using VC6 debugger I have noticed that
CERT_VerifyCertificate() (and CERT_VerifyCertificateNow()) never calls
DPCache_FetchFromTokens(). For example, SEC_FindCrlByName() which I also use
to find CRL and check its time validity (before attempting to download it
from web) calls DPCache_FetchFromTokens().
Did you mark your own certificate as trusted ?
If so, the chain validation ends at your own cert, and thus no
revocation check is performed. In order for revocation checks to be
performed, the only certs that should be trusted are the root certs.
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
