We're trying to enable CRL checking on our client-side application. When doing limited unit tests, everything is OK. But when we extend the tests to real server we see errors from places where least expected.
The error is "unable to get certificate CRL depth:0". The scenario is a mutually authenticated SSL connection with the presence of 2 CRL records on the client side. None of the CRL records on the client side, have anything at all to do with the server we're trying to handshake with. And that is the puzzling fact. The server's certificate is pure and is genuinely signed by VeriSign. The CRLs are related to two internal certs we issues by our self-signed root. (which are at the time of test completely out of the picture). The SSL error is always this: SSL error 'certificate verify failed' (file:.\ssl\s3_clnt.c line:1056 data:'') That's the one stop that I think all errors are caught. Now i need guidance on the best way to troubleshoot this. Is there a debug flag or print flag I can turn on during the certificate validation to see all details? I cannot use the "verify" tool of course. thanks Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
