On Mon, Nov 22, 2004, Richard A. Faulk Jr. wrote: > I have configured a Cisco VPN 3005 concentrator to use digital certificate > authentication successfully with openssl. However, whenever I configure the > concentrator to read the CRL file via http, I receive a Certificate > validation failure and the VPN client fails to connect. I am using the same > CA that is configured on the concentrator to generate the CRL, and the > certificate on the client has not been revoked. > > I am running a Red Hat 8.0 server with OpenSSL 0.9.6b. > > I generated the CRL using the following command : > > openssl ca -gencrl -keyfile private/cakey.pem -cert cacert.pem -out > crlfile.crl > > I have verified that the concentrator can access this file. (Removing read > permissions from the file results in an access error on the concentrator.) > > The error log entries are as follows: > > 351 11/22/2004 15:21:23.850 SEV=5 CERT/116 RPT=18 > Requesting CRL using HTTP. The HTTP URL is: > http://192.168.1.98/crl/crlfile.crl > > 352 11/22/2004 15:21:23.860 SEV=4 IKE/80 RPT=18 > 66.123.111.19 > Group [VPNClient] > Certificate validation failure, Successful > (CN=ClientTest, SN=06) > > 354 11/22/2004 15:21:23.870 SEV=5 IKE/194 RPT=19 66.123.111.19 > Group [VPNClient] > Sending IKE Delete With Reason message: No Reason Provided. > > Is there something different that I have to do to create a valid CRL that > meets industry standards? The VPN client can connect successfully if the > concentrator is not configured to perform CRL checking. Any help would be > greatly appreciated. >
You might want to try converting the CRL to DER and seeing if it needs a specific MIME type, you might try application/pkix-crl for example. You could also try putting invalid data at the relevant URL to see if you get a different error: that might confirm it was accepting the CRL but wanted some additional details in its content. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]