Steve, Thanks for the reply.
I am still getting revoked certificates passing SSL handshake with the Pound software load balancer terminating the SSL connection - so a further question: Does a SSL server implementation have to explictly call OpenSSL APIs to check the certificate against a CRL, or will this be handled "under the hood" when it requests a validation of the certificate through the OpenSSL API? Basically, I am trying to determine if Pound should be implicitly benefiting from the CRL functionality in 0.9.7e, or if it needs updated to make explicit API calls to check the CRL before accepting the certificate as valid. (I've also asked this question on the Pound mailing list, but it seems to be much lower traffic and there's been no other messages the past few days, never mind a reply to my question ... so if there's any knowledge of Pound's SSL support on this mailing list I'd really appreciate it) Thanks, Damien -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: 25 February 2005 19:58 To: [email protected] Subject: Re: CRL Handling - what am I doing wrong You aren't doing anything wrong. However the s_server program's verify callback continues after any error so the revoked certificate doesn't stop the handshake. This is for testing and debugging purposes: a real server wouldn't do that. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
