On Mon, Feb 28, 2005, Damien Dougan wrote: > Steve, > > Thanks for the reply. > > I am still getting revoked certificates passing SSL handshake with the > Pound software load balancer terminating the SSL connection - so a > further question: > > Does a SSL server implementation have to explictly call OpenSSL APIs to > check the certificate against a CRL, or will this be handled "under the > hood" when it requests a validation of the certificate through the > OpenSSL API? > > Basically, I am trying to determine if Pound should be implicitly > benefiting from the CRL functionality in 0.9.7e, or if it needs updated > to make explicit API calls to check the CRL before accepting the > certificate as valid. > > (I've also asked this question on the Pound mailing list, but it seems > to be much lower traffic and there's been no other messages the past few > days, never mind a reply to my question ... so if there's any knowledge > of Pound's SSL support on this mailing list I'd really appreciate it) > >
CRL checking is not automatic. The CRLs need to be placed in the trusted certificate store and the appropriate flag set. If those options aren't present in an application then CRL checking wont happen. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
