OpenSSL does not automatically retrieve the CRL. Only CA certificates
issue CRLs (unless you're using proxy certificates). If the CA issues
a CRL, the information about it will be in the CA certificate, and it
will need to be retrieved before it can be added.
I know that OpenSSL handles OCSP, but I don't know how to code it.
-Kyle H
On Mon, Jul 7, 2008 at 3:59 AM, Konrad Kleine <[EMAIL PROTECTED]> wrote:
> Thank you for your answer.
>
> Here's how we implemented our trust center with our SslCertificate class
> that wraps a X509 pointer:
>
> // BEGIN CODE //////////////////////////////////////////////////
> X509_STORE * x509Store = SSL_CTX_get_cert_store(m_sslContext);
>
> // m_settings.m_caCertificates is a "std::list<SslCertificate>"
> it = m_settings.m_caCertificates.begin();
>
> while(it != m_settings.m_caCertificates.end())
> {
> if (!(*it).isNull())
> {
> X509 * x509 = (*it).getX509();
> X509_STORE_add_cert(x509Store, x509);
> }
>
> it++;
> }
> // END CODE ////////////////////////////////////////////////////
>
> The code works in our case but I don't know if it works in general
> because I don't know how to handle CRLs. Do I need a CRL file for every
> certificate or only for CA ones? Or does OpenSSL automatically gets the
> CRLs during verification process? Is there a difference in verification
> when using "X509_STORE_add_cert" or "SSL_CTX_load_verify_locations"?
>
> I ask this because during coding, I found this function:
> "X509_STORE_add_crl".
>
> Konrad
>
>
> Dr. Stephen Henson schrieb:
>> On Sun, Jul 06, 2008, Konrad Kleine wrote:
>>
>>> Back to the point:
>>>
>>> 0) How can we get the X509-certificate store that we trust?
>>> Is this correct?
>>>
>>> SSL_CTX * context = ...
>>> X509_STORE * store = context->cert_store;
>>>
>>
>> You should call X509_CTX_get_cert_store() and not access the structure
>> directly.
>>
>>> 1) How can we add a bunch of "X509*" to the X509-certificate-store
>>> that we trust?
>>>
>>
>> X509_STORE_add_cert().
>>
>> Steve.
>> --
>> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
>> OpenSSL project core developer and freelance consultant.
>> Homepage: http://www.drh-consultancy.demon.co.uk
>> ______________________________________________________________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-users@openssl.org
>> Automated List Manager [EMAIL PROTECTED]
>>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
