RE: CRL Handling - what am I doing wrong

Mon, 28 Feb 2005 07:53:59 -0800 

Steve,

Thanks again.

I've added the following to Pound's source code and I am correctly
detecting the revoked certificate.

(Also thanks to Joseph Bruni, who's sample source code I shamelessly
nabbed from his "CRL bug?" posting)


619,631d618
< 
<                     // CRL fix
<                     X509_STORE* store = SSL_CTX_get_cert_store
(ctx[i]);
< 
<                     if (!store)
<                     {
<                         logmsg(LOG_ERR, "SSL_CTX_get_cert failed -
aborted");
< 
<                         exit(1);
<                     }
<                     
<                     X509_STORE_set_flags (store,
X509_V_FLAG_CRL_CHECK);
< 
633d619
< 

Damien

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson
Sent: 28 February 2005 12:22
To: [email protected]
Subject: Re: CRL Handling - what am I doing wrong


On Mon, Feb 28, 2005, Damien Dougan wrote:

> Steve,
> 
> Thanks for the reply.
> 
> I am still getting revoked certificates passing SSL handshake with the
> Pound software load balancer terminating the SSL connection - so a
> further question:
> 
> Does a SSL server implementation have to explictly call OpenSSL APIs
to
> check the certificate against a CRL, or will this be handled "under
the
> hood" when it requests a validation of the certificate through the
> OpenSSL API?
> 
> Basically, I am trying to determine if Pound should be implicitly
> benefiting from the CRL functionality in 0.9.7e, or if it needs
updated
> to make explicit API calls to check the CRL before accepting the
> certificate as valid.
> 
> (I've also asked this question on the Pound mailing list, but it seems
> to be much lower traffic and there's been no other messages the past
few
> days, never mind a reply to my question ... so if there's any
knowledge
> of Pound's SSL support on this mailing list I'd really appreciate it)
> 
> 

CRL checking is not automatic. The CRLs need to be placed in the trusted
certificate store and the appropriate flag set. If those options aren't
present in an application then CRL checking wont happen.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to