Dear Steve, Thank you for the fix, it avoids looping with the s_client app, as well as with the api call.
I still have a question regarding CRL scopes I would like to address to you. The X509_V_ERR_DIFFERENT_CRL_SCOPE happened because I downloaded a CRL from a CRL Distribution Point (CRLDP) found in another server certificate. That downloaded CRL had a different scope than the server certificate matched later against. Which leads me to the following question: is a CRL not only unique by its Issuer Name and its Authority key ID, but also by its Scope, or to be more precise, but its "IDP - FullName" attribute? Furthermore, how can a unique URI represent a "scope". In our case, the server certificate had as CRLDP "URI1" when the CRL had as only IDP field: FullName: URI2. Hence, non-matching scopes? To my understanding, multiple CRLDP were used to provide some kind of redundancy. But is it possible that an issuer, with a given subject name and subject key id, issues various CRLs with different sets of revoked certificates, in order to partition its set of all revoked certificates, differing by IDP attribute? Or would these CRLs only have different IDPs but still the same content (same set of revoked certificates). Thank you in advance for your explanations. Kind regards, Franck -- franck youssef junior engineer open systems ag [email protected] http://www.open.ch On Jul 12, 2013, at 6:51 PM, Stephen Henson via RT <[email protected]> wrote: > On Fri Jul 12 14:22:46 2013, steve wrote: >> >> Obviously the loop shouldn't happen: I'll look into fixing that. >> > > Should be fixed with this: > > http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4b26645c1a71cf9ce489e4f79fc836760b670ffe > > Regards, Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
