Okay, I solved this problem in a very unexpected way. First of all, I was using s_server incorrectly. I neglected to add -CAfile. Doing so caused my application to get the error "23: certificate revoked" as expected.
However, accessing servers which were NOT revoked still produced the error "3: unable to get certificate CRL". I solved this problem in my SSL verify callback function by checking for error == 3, and returning true. In other words, by simply ignoring the error! Thanks for all the help, -David --- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote: > On Thu, Nov 10, 2005, david kine wrote: > > > I tried your suggestion to set only > > X509_V_FLAG_CRL_CHECK, but unfortunately it did > not > > help. Attempting to connect to ANY secure server > > still causes the same "unable to get certificate > CRL" > > error. > > > > I know that the CRL is loaded successfully, > because I > > can later extract it from the SSL_CTX and print > its > > issuer using X509_NAME_oneline( > X509_CRL_get_issuer() > > ). > > > > (The original PEM CRL was converted to DER as you > > noticed). > > > > I tried an experiment where I do NOT load the CRL, > but > > I DO set the X509_V_FLAG_CRL_CHECK flag. The same > > error occurs: cannot connect to any secure server, > > with the "unable to get certificate CRL" message. > > Perhaps this is a clue. > > > > To summarize, my program works perfectly unless I > set > > the X509_V_FLAG_CRL_CHECK flag, whether or not I > add a > > CRL using X509_load_crl_file(). > > > > Does the CRL cover the server certificate in > question? > > I'd suggest extracting a server chain using the > -showcerts option to s_client. > > The pass the chain to "openssl verify", include the > CRL and see if you can get > the crl_check option to work with that. > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: > see homepage > OpenSSL project core developer and freelance > consultant. > Funding needed! Details on homepage. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project > http://www.openssl.org > User Support Mailing List > openssl-users@openssl.org > Automated List Manager > [EMAIL PROTECTED] > __________________________________ Start your day with Yahoo! - Make it your home page! http://www.yahoo.com/r/hs ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]