On Fri, Jul 22, 2005, David Brock wrote: > I think this question got lost in the shuffle. I am confused as to how > to check the update time of the CRL (if the CRL has expired). Does this > check happen in X509_CRL_verify(), or is there another way to do it? > I've got a CRL that has an update time set to 7 days, but the > verification is still succeeding even after 30 days. Can someone please > tell me what I'm missing? >
X509_CRL_verify() only checks CRL signatures. When CRLs are used during the normal certificate verification procedure the dates are checked. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]