"Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote: On Wed, Jun 06, 2007, piyush
tewari wrote:
>
> Hi,
>
> I m protecting one of my server by using stunnel.
> Now I am trying to use the revocation list concept in the stunnel .
>
> For using the revocation list i performed the following steps.
>
> 1. For generating the CRL file
> openssl ca -gencrl -keyfile ca_key -cert ca_crt -out my_crl.pem
>
> 2. for revoking the certificates
> openssl ca -revoke bad_crt_file -keyfile ca_key -cert ca_crt
>
>
> The entry specified in the stunnel.conf file is:-
> CRLfile = my_crl.pem
>
I'm assuming you created another CRL after revoking the certificate?
Does the revoked certificate show up in the CRL when you use the crl utility?
I'd suggest using s_client/s_server to see if a certificate shows up as
revoked when you use that.
Steve.
Yes, All the steps that I performed are as follows:-
1.I created a blank CRL
2 revoked the certificate
3.created a new CRL file , say CRL2
This crl is showing the revoked certificate.
4. In the stunnel conf file , i mentioned the path of the CRL2
5 I made the client request , having the revoked certificate
6. But , here again the client is still able to connect.
The second CRL file , that is CRL2 , is showing the revoked certificate.
But when i m calculating the hash for this CRL , it is showing the error.
This shows that the problem is related to openssl.
The command line operations were as follows:-
C:\openssl>openssl ca -gencrl -keyfile c:\ca\private\CAkey.pem -cert
c:\ca\CAcert.pem -out my_crl.pem
Using configuration from C:\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for c:\ca\private\CAkey.pem:
C:\openssl>openssl ca -revoke
C:\CA\temp\vnc_client_633156185719801329\client.crt -keyfile c:\ca\private
\CAkey.pem -cert c:\ca\CAcert.pem
Using configuration from C:\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for c:\ca\private\CAkey.pem:
Adding Entry with serial number 02 to DB for /O=pkt633a
Revoking Certificate 02.
Data Base Updated
C:\openssl>openssl ca -gencrl -keyfile c:\ca\private\CAkey.pem -cert
c:\ca\CAcert.pem -out my_crl1.pem
Using configuration from C:\OpenSSL\bin\openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for c:\ca\private\CAkey.pem:
DEBUG[load_index]: unique_subject = "yes"
C:\openssl>openssl x509 -hash -noout -in my_crl1.pem
unable to load certificate
656:error:0906D06C:PEM routines:PEM_read_bio:no start
line:./crypto/pem/pem_lib.c:642:Expecting: TRUSTED
CERTIFICATE
---------------------------------
Shape Yahoo! in your own image. Join our Network Research Panel today!
