On Tue, Aug 17, 2004, Joseph Bruni wrote:
> I have a server that runs with many (1500) long-duration SSL connections. I am using
> CRLs and have the CRL checking enabled when I'm building my SSL_CTX using the
> following code:
>
> X509_STORE* store = SSL_CTX_get_cert_store(ctx);
> if ( !store ) {
> ERR_print_errors_syslog(LOG_ERR);
> throw std::runtime_error("SSL_CTX_get_cert_store");
> }
>
> X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
> if ( !lookup ) {
> ERR_print_errors_syslog(LOG_ERR);
> throw std::runtime_error("X509_STORE_add_lookup");
> }
> if (X509_load_crl_file(lookup,"crl.pem",
> X509_FILETYPE_PEM) != 1)
> {
> ERR_print_errors_syslog(LOG_ERR);
> throw std::runtime_error("X509_load_crl_file");
> }
>
> X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
>
>
> The problem is that after running for several hours, all new connections start
> getting rejected with a "certificate revoked" error. The actual error message also
> shows that the RSA signature on the CRL has gone bad. Restarting the system or even
> causing a rebuild of the SSL_CTX allows things to proceed.
>
> Are there any known issues in 0.9.7d on OS X that might cause the CRL object to
> become corrupt?
>
Nothing I know of. The CRL might expire which would cause errors but not
certificate revoked or signature errors.
Steve
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
