Okay, I solved this problem in a very unexpected way.

First of all, I was using s_server incorrectly.  I
neglected to add -CAfile.  Doing so caused my
application to get the error "23: certificate revoked"
as expected.

However, accessing servers which were NOT revoked
still produced the error "3: unable to get certificate
CRL".

I solved this problem in my SSL verify callback
function by checking for error == 3, and returning
true.  In other words, by simply ignoring the error!

Thanks for all the help,

-David


--- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:

> On Thu, Nov 10, 2005, david kine wrote:
> 
> > I tried your suggestion to set only
> > X509_V_FLAG_CRL_CHECK, but unfortunately it did
> not
> > help.  Attempting to connect to ANY secure server
> > still causes the same "unable to get certificate
> CRL"
> > error.
> > 
> > I know that the CRL is loaded successfully,
> because I
> > can later extract it from the SSL_CTX and print
> its
> > issuer using  X509_NAME_oneline(
> X509_CRL_get_issuer()
> > ).
> > 
> > (The original PEM CRL was converted to DER as you
> > noticed).
> > 
> > I tried an experiment where I do NOT load the CRL,
> but
> > I DO set the X509_V_FLAG_CRL_CHECK flag.  The same
> > error occurs: cannot connect to any secure server,
> > with the "unable to get certificate CRL" message. 
> > Perhaps this is a clue.
> > 
> > To summarize, my program works perfectly unless I
> set
> > the X509_V_FLAG_CRL_CHECK flag, whether or not I
> add a
> > CRL using X509_load_crl_file().
> > 
> 
> Does the CRL cover the server certificate in
> question?
> 
> I'd suggest extracting a server chain using the
> -showcerts option to s_client.
> 
> The pass the chain to "openssl verify", include the
> CRL and see if you can get
> the crl_check option to work with that.
> 
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys:
> see homepage
> OpenSSL project core developer and freelance
> consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
>
______________________________________________________________________
> OpenSSL Project                                
> http://www.openssl.org
> User Support Mailing List                   
> openssl-users@openssl.org
> Automated List Manager                          
> [EMAIL PROTECTED]
> 



                
__________________________________ 
Start your day with Yahoo! - Make it your home page! 
http://www.yahoo.com/r/hs
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to