Ives Steglich schrieb:
[..]
the openssl problem for the txt-crl is following:

if i call:
   openssl crl ... it works
if i call:
   openssl <enter> to enter the openssl shell and then
   call the crl conversion command

we get an error... see attached example:
(the crl lines are exactly the same)

so i'll ask this question at openssl list too, but maybe
someone knows...

[EMAIL PROTECTED] 006 $ openssl crl -out
/usr/pki/operating/006/ca/OpenCA/var/tmp/28466_cnv-2.tmp -in
/usr/pki/operating/006/ca/OpenCA/var/tmp/28466_data.tmp
-text -noout -inform PEM
[EMAIL PROTECTED] 006 $
[EMAIL PROTECTED] 006 $ openssl
OpenSSL> crl -out
/usr/pki/operating/006/ca/OpenCA/var/tmp/28466_cnv-2.tmp -in
/usr/pki/operating/006/ca/OpenCA/var/tmp/28466_data.tmp
-text -noout -inform PEM
error in crl
OpenSSL> q
[EMAIL PROTECTED] 006 $

The problem seems to be the "noout"-Option. The openssl CRL-Application exits with an returncode!=0, the Openssl-Application reports an error in crl. From my point of view it is a bug in apps/crl.c and i send this and the bugfix to openssl-users resp. openssl-dev.

furthermore there is a really dirty hack for now - which reanables
the txt creation, since the conversation itself, even if the error gets shown
by openssl 'error in crl(command)'...

in OpenCA::OpenSSL change line 951 to:
   if( (not $ret) && ($self->errval ne "error in crl\n")) {

this will work around...

Another workaround is to not set "noout" until the bugfix is in OpenSSL. Of course than there is the CRL attached in the cacrl.txt. The "dirty hack" above will ignore other "real" errors of CRL which is not a good idea, isn't it?

Best regards
 Michael

--
Dipl.-Inform. Michael Konietzka  Schlund + Partner AG
- Development UNIX -             Brauerstraße 48
    Webservices                  D-76135 Karlsuhe
http://www.schlund.de/           Germany


------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel

Reply via email to