Ives Steglich schrieb:
[..]
the openssl problem for the txt-crl is following:
if i call:
openssl crl ... it works
if i call:
openssl <enter> to enter the openssl shell and then
call the crl conversion command
we get an error... see attached example:
(the crl lines are exactly the same)
so i'll ask this question at openssl list too, but maybe
someone knows...
[EMAIL PROTECTED] 006 $ openssl crl -out
/usr/pki/operating/006/ca/OpenCA/var/tmp/28466_cnv-2.tmp -in
/usr/pki/operating/006/ca/OpenCA/var/tmp/28466_data.tmp
-text -noout -inform PEM
[EMAIL PROTECTED] 006 $
[EMAIL PROTECTED] 006 $ openssl
OpenSSL> crl -out
/usr/pki/operating/006/ca/OpenCA/var/tmp/28466_cnv-2.tmp -in
/usr/pki/operating/006/ca/OpenCA/var/tmp/28466_data.tmp
-text -noout -inform PEM
error in crl
OpenSSL> q
[EMAIL PROTECTED] 006 $
The problem seems to be the "noout"-Option.
The openssl CRL-Application exits with an returncode!=0,
the Openssl-Application reports an error in crl.
From my point of view it is a bug in apps/crl.c and i send
this and the bugfix to openssl-users resp. openssl-dev.
furthermore there is a really dirty hack for now - which reanables
the txt creation, since the conversation itself, even if the error gets shown
by openssl 'error in crl(command)'...
in OpenCA::OpenSSL change line 951 to:
if( (not $ret) && ($self->errval ne "error in crl\n")) {
this will work around...
Another workaround is to not set "noout" until the bugfix is
in OpenSSL. Of course than there is the CRL attached in the cacrl.txt.
The "dirty hack" above will ignore other "real" errors of CRL
which is not a good idea, isn't it?
Best regards
Michael
--
Dipl.-Inform. Michael Konietzka Schlund + Partner AG
- Development UNIX - Brauerstraße 48
Webservices D-76135 Karlsuhe
http://www.schlund.de/ Germany
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
OpenCA-Devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-devel