Hello everybody, I try to build a SSL server which performs client authentication and CRL management.
To manage this: First, with X509_STORE_add_cert, I add the certificate coming from "trustees.pem" file to verify the client certificate Then I read the CRL file and get the corresponding X509_CRL object: with X509_STORE_add_crl API, I put my X509_CRL object in the store too ansd call X509_STORE_set_flags(st, X509_V_FLAG_CRL_CHECK) to say I want to check CRL. At least with SSL_CTX_set_cert_store, I put my store in my SSL_CTX structure. Whenever a client connects, I get its certificate with SSL_get_certificate_peer and as far as I understand, ans I believed I only have to call SSL_get_verify_result API in order to know that the client authentication is correct and that its certifcate does not belong to those described as revoked in CRL file. Did I use those API properly since I do not get a correct result ( the client certificate has a serial number which is considered as revoked in CRL file but the SSL_get_verify_result always returns X509_V_OK ! ) ? Thank you in advance for your help ! Jf ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
