On Tue, Jun 03, 2003, David Kramer wrote: > I'm using client certificate verification via > SSL_CTX_set_client_CA_list() and SSL_CTX_load_verify_locations(). I'd > like to add CRLs. The only way that I've found to do this is to call: > > X509_STORE *store = SSL_CTX_get_cert_store(ctx); > X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK); > > When I do this, my server starts rejecting all client certificates. I've > verified that my client certificates are accepted if I don't set the > flag, but rejected if I do. In this case, I don't have a CRL file at all! > > An ssldump is below, I'd appreciate any advice on what I might be doing > wrong, or if there is another way to manage CRLs. >
If you set it to check CRLs then you must have a valid CRL for each certificate you verify. If you don't then the error X509_V_ERR_UNABLE_TO_GET_CRL is returned which can be overridden in the callback in the usual way. Also there's a bug in the handling of the flag X509_V_FLAG_CRL_CHECK_ALL which is fixed in the next snapshot: it gets it back to front and checks the whole chain against CRLs if its not set. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
