Hi,
I saw the thread "Multiple CRL with same issuer" on this mailing list, and I
have the
same problem:
for one CA issuer I have 100 CRLs, and if the revoked certificate is not in the
first CRL
(in my case is the 11th CRL), openssl verify return ok.
I have downloaded and installed openssl 1.0.0a,
then
1) tried to create 1 file for each CRL in pem format, and created symbolic
link
ln -s crlPEMn.crl `openssl crl -hash -noout -in crlPEMn.crl`.rn
with n from 0 to 99
executing
openssl verify -verbose -CApath ./demoCA/certs -crl_check ./RevokedCert.cer
the result is ok, and it is very fast, it seems that it checks only the first
CRL (with .r0)
2) tried to create 1 file, with all the CRLs concatenated in pem format, and
created
symbolic link
ln -s crlPEM.crl `openssl crl -hash -noout -in crlPEM.crl`.r0
executing
openssl verify -verbose -CApath ./demoCA/certs -crl_check ./RevokedCert.cer
the result is ok, but it is slowly, such as check all the big CRL file, but
cannot
find the revoked serial number.
I've also tried to pass all the other verify args for CRL, but the result does
not change.
Please, where I wrong? I downloaded openssl 1.0.0a because I've read that from
0.9.9dev
there is the support for multiple CRLs.
Thanks in advance
M.M.
_________________________________________________________________
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969
