I wrote a bit earlier about a problem I'm having with regards to a server that is verifying client certificates against a CRL. I currently have about 2000 clients connected simultaneously. Without reason, the CRL object in my SSL_CTX goes bad and all new connection fail with the following error chain:
X509_verify_cert_error_string() = CRL signature failure ### error:04077068:rsa routines:RSA_verify:bad signature ### error:0D089006:asn1 encoding routines:ASN1_verify:EVP lib ### error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Only by bouncing the process can I get things working again. After removing the code that adds CRL checking to my SSL_CTX the server runs fine, but I obviously can no longer reject clients with revoked certs. In the OpenSSL book, the example that shows how to add CRL checking went through the process of adding a "file lookup" to the X509_STORE object. After poking around in the openssl source code a bit, I found a function called X509_STORE_add_crl(). Could the CRL object corruption be related to using the lookup? Would it be better to explicitly read in the X509_CRL object using a PEM_read function and then call this function to add it to the store? Or are these two methods equivalent? I also looked through the s_server and s_client code for examples on how to add a CRL but couldn't find anything; just the setting of the flags when -crl_check is on the command line. Bottom line, what is the proper way to do CRL checking? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]