Hello, I have an application with a simple init code :
SSL_CTX *ctx; X509_STORE *store; X509_LOOKUP *lookup; (...) store = SSL_CTX_get_cert_store(ctx); lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir()); X509_LOOKUP_add_dir(lookup, ca_path, X509_FILETYPE_PEM) X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL) (...) The certificate verification chain is ok, CRL are checked, etc. Now I have to revoke a certificate : I build a new CRL. But, if I simply update the CRL file in "ca_path" without restart the server, OpenSSL continue to accept the certificate. If I restart the server, it's ok : the certificate is revoked... In fact, "openssl s_server -CApath ..." have the same issue. How can I tell my server to update the X509_STORE when a file is updated in ca_path ? Or is there any option to set a "time to live" for a store? Regards, Anoop singh
