I have a server that runs with many (1500) long-duration SSL connections. I am using CRLs and have the CRL checking enabled when I'm building my SSL_CTX using the following code:
X509_STORE* store = SSL_CTX_get_cert_store(ctx); if ( !store ) { ERR_print_errors_syslog(LOG_ERR); throw std::runtime_error("SSL_CTX_get_cert_store"); } X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); if ( !lookup ) { ERR_print_errors_syslog(LOG_ERR); throw std::runtime_error("X509_STORE_add_lookup"); } if (X509_load_crl_file(lookup,"crl.pem", X509_FILETYPE_PEM) != 1) { ERR_print_errors_syslog(LOG_ERR); throw std::runtime_error("X509_load_crl_file"); } X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK); The problem is that after running for several hours, all new connections start getting rejected with a "certificate revoked" error. The actual error message also shows that the RSA signature on the CRL has gone bad. Restarting the system or even causing a rebuild of the SSL_CTX allows things to proceed. Are there any known issues in 0.9.7d on OS X that might cause the CRL object to become corrupt? What is a good lifespan for a SSL_CTX? Should I rebuild it every six hours or something? I'm not using sessions. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]