"unable to get certificate CRL" from SSL_Connect()

Tue, 13 Sep 2005 11:25:25 -0700 

Looking for the cause of this error in my secure
client application, coming from the SSL_connect()
function:

---------
ERROR 3: unable to get certificate CRL
SSL_connect error 1,
error:00000001:lib(0):func(0):reason(1)
SSL error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
----------

The application loads three trusted root CA's and
successfully connects to secure servers signed with
one of the CA's.  However, the problem occurs when I
load a CRL file:

----------
X509_STORE *store = SSL_CTX_get_cert_store( ctx );

X509_LOOKUP *lookup = X509_STORE_add_lookup( store,
X509_LOOKUP_file());

X509_load_crl_file( lookup, "test.crl",
X509_FILETYPE_PEM );

X509_STORE_set_flags( store, X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL );
----------

The "test.crl" file is:

-----BEGIN X509 CRL-----
MIIBmjCCAQMwDQYJKoZIhvcNAQEEBQAwgb0xCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMRAwDgYDVQQHEwdPYWtsYW5kMRYwFAYDVQQKEw1SZWQgSGF0
LCBJbmMuMSIwIAYDVQQLFBlHbG9iYWwgU2VydmljZXMgJiBTdXBwb3J0MR0wGwYD
VQQDExRSZWQgSGF0IFRlc3QgUm9vdCBDQTEsMCoGCSqGSIb3DQEJARYdc3Ryb25n
aG9sZC1zdXBwb3J0QHJlZGhhdC5jb20XDTAwMTExMzIwNTcyNVoXDTAwMTIxMzIw
NTcyNVowFDASAgEBFw0wMDA4MzEyMTE5MTdaMA0GCSqGSIb3DQEBBAUAA4GBAIge
X5VaOkNOKn8MrbxFiqpOrH/M9Vocu9oDeQ6EMTeA5xIWBGN53BZ/HUJ1NjS32VDG
waM3P6DXud4xKXauVgAXyH6D6xEDBt5GIBTFrWKIDKGOkvRChTUvzObmx9ZVSMMg
5xvAbsaFgJx3RBbznySlqVU4APYE0W2/xL0/8fzM
-----END X509 CRL-----

The three trusted root CA's loaded into the SSL ctx
are:

----------
ISSUER/SUBJECT:  '/C=US/O=VeriSign, Inc./OU=Class 3
Public Primary Certification Authority'

ISSUER/SUBJECT:  '/C=US/O=Equifax/OU=Equifax Secure
Certificate Authority'

ISSUER/SUBJECT:  '/C=US/O=Equifax Secure
Inc./CN=Equifax Secure Global eBusiness CA-1'
----------

Do I need to load additional files in order to make
CRL handling work?  What is the relationship between
the CRL files and the trusted root CA's?

Thanks for any suggestions or pointers to
documentation.

-David



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to