Hi,
I am writing a SSL server program with OpenSSL 0.9.7d and
trying to use a CRL file for client revocation.
I was not able to find an easy way of doing that, so I wrote
the following code:
...
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, NULL);
SSL_CTX_load_verify_locations(ctx, "ca.crt", 0);
...
X509_STORE *store = SSL_CTX_get_cert_store(ctx);
X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
X509_load_crl_file(lookup, "ca.crl", X509_FILETYPE_PEM);
However, the code above does not work as I expect. All
clients successfully connect to the server even if they
are on the CRL.
What is the correct way of activating CRL? Should I write
my own verify callback?
Thanks in advance.
Best regards,
Keisuke Nishida
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
