RE: Can't get my CRL to work on my OpenSSL client

Wed, 30 Jul 2014 15:09:42 -0700 

Dr Henson-
The first message in this thread had the relevant code, copied again below. I 
have tried a few tweaks on setting up for CRL checking, but this is what I have 
now:
Reading the file in; I have edited out a lot of error checking, etc, but the 
CRL is read in successfully:
X509_STORE    *trusted_store;X509_CRL      *crl;fp = 
fopen("/etc/ssl/crls/crl.pem", "r");crl = PEM_read_X509_CRL(fp, NULL, 0, 
NULL);X509_STORE_add_crl(trusted_store,crl);
Then I enable CRL checking as follows (I have also tried  setting only 
X509_V_FLAG_CRL_CHECK):
        X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();        
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK |                      
                      X509_V_FLAG_CRL_CHECK_ALL);        
X509_STORE_set1_param(trusted_store, param);        
X509_VERIFY_PARAM_free(param);
The fopen(), etc is only for the crl, but I loop through every .pem file in the 
/etc/ssl/crls directory and read in each one(successfullly).

> Date: Wed, 30 Jul 2014 23:44:45 +0200
> From: st...@openssl.org
> To: openssl-users@openssl.org
> Subject: Re: Can't get my CRL to work on my OpenSSL client
> 
> On Wed, Jul 30, 2014, Jason Schultz wrote:
> 
> > OK. So as far as you're aware, there's not a way to avoid the requirement of
> > the combined root cert/CRL file when checking for revoked certificates? I
> > would prefer to just have to deal with the CRL in PEM format, but the CRL
> > file must always be the CRL appended to the root cert, as far as I can tell.
> > Thanks for your prompt responses, by the way.
> > 
> 
> The CRL can come from anywhere as long as it is supplied to OpenSSL in the
> appropriate way.
> 
> There are some standard places a CRL can be included such as a file or
> directory containing the set of trusted certificates but it is not a
> requirement.
> 
> I can't really comment more without seeing a sample of how your code is
> loading the CRL and how it is enabling CRL checks.
> 
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org

Reply via email to