Understanding the behvaiour for openssl verify and -crl_check

Sun, 01 Aug 2010 23:53:24 -0700 

Hi Everyone,

This is my first post to this list, so I apologise in advance if I have
overlooked list etiquette.  I have tried to read the documentation but
could not find anything that explained this aspect of openssl behaviour.
I've tried to read the source in eclipse/cdk but found myself quickly
beyond my depth once verify went into the depths of
X509_LOOKUP_load_file.

I'm trying to understand the behaviour of openssl verify in relation to
using the crl check in:
OpenSSL 0.9.8k 25 Mar 2009

My understanding is that Openssl should be using the combination of
options from the command line and those specified
in /usr/lib/ssl/openssl.cnf.

When I try to verify a certificate without the crl check all appears
fine:
da...@eurocorp:/home/ca/C=AU/O=test/OU=test$ openssl verify -CAfile
cacert.pem newcerts/00.pem
newcerts/00.pem: OK

However, when I try the CRL check I receive the following error:
da...@eurocorp:/home/ca/C=AU/O=test/OU=test$ openssl verify -CAfile
cacert.pem -crl_check newcerts/00.pem
newcerts/00.pem: /C=AU/O=test/OU=test/CN=Certificate
0/emailaddress=supp...@busibox.com.au
error 3 at 0 depth lookup:unable to get certificate CRL

So, when I investigate a with strace I see that it is trying to stat the
following file:
stat64("/usr/lib/ssl/certs/07c527d9.r0", 0xbf84846c) = -1 ENOENT (No
such file or directory)

If I were to create a symlink at this location to my crl, I see the
desired output:
da...@eurocorp:/home/ca/C=AU/O=test/OU=test$ openssl verify -CAfile
cacert.pem -crl_check newcerts/00.pem
newcerts/00.pem: /C=AU/O=test/OU=test/CN=Certificate
0/emailaddress=supp...@busibox.com.au
error 23 at 0 depth lookup:certificate revoked

My questions are:
- Why is openssl trying to find the crl
at /usr/lib/ssl/certs/07c527d9.r0?
- Why does it choose to use the crl named 07c527d9.r0?  Is this some
hash as the filename?
- How can I override these options so that the correct file location is
used?

Best Regards,
David Balnaves

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to