Nima Sharifimehr wrote: > When you specify the flag X509_V_FLAG_CRL_CHECK for the cert > verification, then you will need to have a valid corresponding CRL > for the last cert in the cert chain. And if you specify the flag > X509_V_FLAG_CRL_CHECK then you will need to have corresponding CRLs > for all the certs available in the chain.
Ok, it works as expected with both the CRL included in the CA-bundle file or explicitly added by a call to X509_STORE_add_crl after SSL_CTX_load_verify_locations. However it fails as described in my previous mail when I try to verify a cert on demand against some custom store. > So, I am guessing you are > missing to load corresponding CRLs for your cert before performing > the verification and that's why you get the error > "X509_V_ERR_UNABLE_TO_GET_CRL". When the revoked cert is verified the CRL must have been loaded since the verify result sounds correct, I get error X509_V_ERR_UNABLE_TO_GET_CRL only if the certificate is not revoked. I use a simple test: #1 Self-signed root #2 Intermediate signed by #1 #3..#4 server certs signed by #2 #3 revoked CRL signed by #2. #1 and #2 both in the same TrustedCA.pem Basically what I'm doing is this: Store = X509_STORE_new; StoreCtx = X509_STORE_CTX_new; Lookup = X509_STORE_add_lookup(Store, X509_LOOKUP_file); X509_LOOKUP_load_file(Lookup, TrustedCAFileName, X509_FILETYPE_PEM); X509_STORE_add_crl(Store, Crl); X509_STORE_set_flags(Store, VerifyFlags); X509_STORE_CTX_init(StoreCtx, Store, X509ToCheck, UntrustedChain); X509_STORE_CTX_set_ex_data(StoreCtx, 0, Self) X509_STORE_CTX_set_verify_cb(StoreCtx, StoreVerifyCallback); X509_STORE_CTX_trusted_stack(StoreCtx, TrustedChain); X509_STORE_CTX_set_purpose(StoreCtx, Purpose); X509_verify_cert(StoreCtx); -- Arno Garrels ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
