SSLCARevocationFile

Wed, 22 Mar 2006 02:35:20 -0800 

Hello
I built a web server with apache 2.xx. Access is secure with 
SSLVerifyClient directive
When I revoke a certificate and then generate my CRL, I can verify that 
the certificate has been well revocated and is part of the CRL with the 
following commands :

openssl ca -config openssl.cnf -revoke file.pem
openssl ca -config openssl.cnf -gencrl -out crl.pem -crldays 30

And : 

openssl crl -in crl.pem -text

Certificate Revocation List (CRL):
        Version 1 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: /C=FR/ST=RHONE 
ALPE/L=LYON/O=DGI/CN=ca_root/[EMAIL PROTECTED]
        Last Update: Mar 21 12:05:03 2006 GMT
        Next Update: Apr 20 12:05:03 2006 GMT
Revoked Certificates:
    Serial Number: 02
        Revocation Date: Mar 17 13:13:21 2006 GMT
    Serial Number: 03
        Revocation Date: Mar 17 12:16:19 2006 GMT
    Signature Algorithm: md5WithRSAEncryption
        73:66:b1:89:22:80:78:a7:c7:d5:ce:d9:5e:35:0b:96:d1:83:
        57:3c:4a:c0:9e:30:d4:9a:37:96:79:71:ff:85:48:42:4a:35:
        56:f8:d9:fa:d1:ad:c9:74:5d:e8:02:bd:27:2c:6b:77:55:59:
        96:07:f1:fc:4d:b8:1b:4c:14:2d:86:84:7c:8b:a7:b0:10:c6:
        32:b6:37:d6:f9:41:3a:38:85:61:57:ac:46:76:b0:df:cb:1b:
        b3:24:46:6f:8b:32:61:39:4f:b8:6d:ad:75:a2:63:85:7d:56:
        f1:2c:3d:0d:f0:c2:d1:d4:9e:a8:2c:86:27:4d:e3:c3:69:8c:
        3a:c9:66:f3:44:86:e8:a9:a8:a0:3b:70:23:6f:c8:3e:e1:bf:
        2a:15:cf:ed:fb:d4:2d:57:8d:54:f7:53:aa:1a:8b:89:f0:69:
        c9:00:dd:8f:bf:73:88:95:86:a4:76:f3:7a:fe:39:44:a9:1c:
        9f:41:dd:6e:62:51:0c:43:81:a5:e3:fe:ab:f3:2f:27:a9:c0:
        0f:92:a3:ab:da:35:9a:6c:ce:57:eb:61:b8:1c:7f:91:b6:ad:
        c0:99:21:bb:30:b8:25:13:5e:b5:fb:ed:e9:55:b3:4c:4a:19:
        d8:96:fc:f3:e1:2c:62:a9:80:d5:b3:72:ce:37:5d:36:36:22:
        a4:74:e9:c3
-----BEGIN X509 CRL-----
MIIB4TCByjANBgkqhkiG9w0BAQQFADBxMQswCQYDVQQGEwJGUjETMBEGA1UECBMK
UkhPTkUgQUxQRTENMAsGA1UEBxMETFlPTjEMMAoGA1UEChMDREdJMRAwDgYDVQQD
FAdjYV9yb290MR4wHAYJKoZIhvcNAQkBFg9jYV9yb290QGRnaS5jb20XDTA2MDMy
MTEyMDUwM1oXDTA2MDQyMDEyMDUwM1owKDASAgECFw0wNjAzMTcxMzEzMjFaMBIC
AQMXDTA2MDMxNzEyMTYxOVowDQYJKoZIhvcNAQEEBQADggEBAHNmsYkigHinx9XO
2V41C5bRg1c8SsCeMNSaN5Z5cf+FSEJKNVb42frRrcl0XegCvScsa3dVWZYH8fxN
uBtMFC2GhHyLp7AQxjK2N9b5QTo4hWFXrEZ2sN/LG7MkRm+LMmE5T7htrXWiY4V9
VvEsPQ3wwtHUnqgshidN48NpjDrJZvNEhuipqKA7cCNvyD7hvyoVz+371C1XjVT3
U6oai4nwackA3Y+/c4iVhqR283r+OUSpHJ9B3W5iUQxDgaXj/qvzLyepwA+So6va
NZpszlfrYbgcf5G2rcCZIbswuCUTXrX77elVs0xKGdiW/PPhLGKpgNWzcs43XTY2
IqR06cM=
-----END X509 CRL-----

Problem :  I'm still able to connect the server with my revocated 
certificate.
Question : I'm not sur that apache take account of my CRL, how can I 
verify it ?
Second Question : what can I do so that my revocated certificate is 
rejected by the web server ?


My httpd.conf:

<VirtualHost xx.xx.xx.xx:443>
DocumentRoot "/var/www/serveur/serverssl/html"
ServerName serverssl
ServerAdmin [EMAIL PROTECTED]
ErrorLog logs/error_ssl_log
TransferLog logs/access_ssl_log
SSLEngine on
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/ssl/cassl/serverssl.pem
SSLCertificateKeyFile /etc/ssl/cassl/serverssl.key
SSLCACertificatePath /etc/ssl/cassl
SSLCACertificateFile /etc/ssl/cassl/trustees.pem
SSLCARevocationFile /etc/ssl/crl/crl.pem
SSLVerifyClient require
SSLVerifyDepth 10
</VirtualHost>


Any help would be great
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to