I have a server that runs with many (1500) long-duration SSL connections. I am using
CRLs and have the CRL checking enabled when I'm building my SSL_CTX using the
following code:
X509_STORE* store = SSL_CTX_get_cert_store(ctx);
if ( !store ) {
ERR_print_errors_syslog(LOG_ERR);
throw std::runtime_error("SSL_CTX_get_cert_store");
}
X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
if ( !lookup ) {
ERR_print_errors_syslog(LOG_ERR);
throw std::runtime_error("X509_STORE_add_lookup");
}
if (X509_load_crl_file(lookup,"crl.pem",
X509_FILETYPE_PEM) != 1)
{
ERR_print_errors_syslog(LOG_ERR);
throw std::runtime_error("X509_load_crl_file");
}
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
The problem is that after running for several hours, all new connections start getting
rejected with a "certificate revoked" error. The actual error message also shows that
the RSA signature on the CRL has gone bad. Restarting the system or even causing a
rebuild of the SSL_CTX allows things to proceed.
Are there any known issues in 0.9.7d on OS X that might cause the CRL object to become
corrupt?
What is a good lifespan for a SSL_CTX? Should I rebuild it every six hours or
something?
I'm not using sessions.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
