On Mon, Jun 14, 2010, matteo mattau wrote: > > Hi, > I saw the thread "Multiple CRL with same issuer" on this mailing list, and I > have the > same problem: > > for one CA issuer I have 100 CRLs, and if the revoked certificate is not in > the first CRL > (in my case is the 11th CRL), openssl verify return ok. > > I have downloaded and installed openssl 1.0.0a, > then > 1) tried to create 1 file for each CRL in pem format, and created symbolic > link > ln -s crlPEMn.crl `openssl crl -hash -noout -in crlPEMn.crl`.rn > with n from 0 to 99 > executing > openssl verify -verbose -CApath ./demoCA/certs -crl_check ./RevokedCert.cer > the result is ok, and it is very fast, it seems that it checks only the first > CRL (with .r0) > > 2) tried to create 1 file, with all the CRLs concatenated in pem format, and > created > symbolic link > ln -s crlPEM.crl `openssl crl -hash -noout -in crlPEM.crl`.r0 > executing > openssl verify -verbose -CApath ./demoCA/certs -crl_check ./RevokedCert.cer > the result is ok, but it is slowly, such as check all the big CRL file, but > cannot > find the revoked serial number. > > I've also tried to pass all the other verify args for CRL, but the result > does not change. > > Please, where I wrong? I downloaded openssl 1.0.0a because I've read that > from 0.9.9dev > there is the support for multiple CRLs. >
What are the dates on the first CRL? If it is valid then OpenSSL will use that without any further lookups. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
