Hi, On further investigation, we have found that the addition of the following piece of code enables the CRL checking.
X509_STORE *store = getStore(); // Enable CRL checking X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); X509_STORE_set1_param(store, param); X509_VERIFY_PARAM_free(param); And it is also clear that we need to use SSL_CTX_load_verify_locations() is required to be used to load CA certificate + CRL concatenated into a PEM file.(Alternatively CAPath also, but we did not try that yet). I guess my problems are solved for now. If you guys have any comments on this, please let me know. Otherwise you can ignore the previous email. Regds, Ashok On Wed, Mar 28, 2012 at 10:08 PM, Ashok C <ash....@gmail.com> wrote: > Hi, > > I am implementing CRL feature for my application and was doing a proof of > concept using openSSL. > Here is what I did: > > 1. I used openssl commands to generate a v3 root CA certificate and > also the corresponding server certificate. > 2. Now i revoked the server certificate using openssl commands. > 3. First I tested this with the openSSL s_client and s_server. I > understood from googling, that I need to use the -crl-check option in the > s_client side to do the CRL validation and as instructed in the reference > manual, I concatenated my CA certificate as well as the CRL into a single > PEM file and passed it to openssl client in the -CAFile field. > 4. Things went as expected and I got the error code for CRL validation > failure. > 5. Next step, I wanted to do the same for my sample SSL client and > server. > 6. Here, from my client side, I loaded the concatenated cert + crl > into combined.pem and loaded it using > 7. SSL_CTX_load_verify_locations(ctx,combined.pem,NULL). While doing > the SSL connection, I found that the CRL _was not_ checked. (I understand > now that this is NOT the API to set the CRL into verification paths) > 8. Later, from further reading I understood that CRL check is not done > by default and I need to add the CRL to the verification paths using X509 > level APIs. ( > > http://stackoverflow.com/questions/4389954/does-openssl-automatically-handle-crls-certificate-revocation-lists-now > ) > > >> > > X509_STORE *store = getStore(); > > > > // Enable CRL checking > > X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); > > X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); > > X509_STORE_set1_param(store, param); > > X509_VERIFY_PARAM_free(param); > >> > > I am going to try this out now, but before that , wanted to check with the > community: > > - If the way I am proceeding is correct? > - Are there any other simpler ways to do this? > - What would be best approach to follow for CRL checking enabling? > - Are there any SSL_CTX level APIs for this now? > > > I am using openssl version openssl-0.9.8r(Also wanted to know if this > behaviour has changed in higher versions of openssl) > Thanks in advance! > > Regds, > Ashok > > >
