Thank you for your response. Actually I use the default verify_callback function (NULL) "SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,NULL);" By default it does not take into account possible errors coming from client certificate? Does it mean it is compulsary to call a verify_call_back function ?
> > Hello everybody, > > I try to build a SSL server which performs client authentication and CRL > management. > > To manage this: > First, with X509_STORE_add_cert, I add the certificate coming from > "trustees.pem" file to verify the client certificate > Then I read the CRL file and get the corresponding X509_CRL object: > with X509_STORE_add_crl API, I put my X509_CRL object in the store too > ansd call X509_STORE_set_flags(st, X509_V_FLAG_CRL_CHECK) to say I want to check > CRL. > At least with SSL_CTX_set_cert_store, I put my store in my SSL_CTX structure. > > Whenever a client connects, I get its certificate with SSL_get_certificate_peer > and as far as I understand, ans I believed I only have to call > SSL_get_verify_result API in order to know that the client authentication is > correct and that its certifcate does not belong to those described as revoked in > CRL file. > > Did I use those API properly since I do not get a correct result ( the client > certificate has a serial number which is considered as revoked in CRL file but > the SSL_get_verify_result always returns X509_V_OK ! ) ? > > Thank you in advance for your help ! > If have a verify callback that is set to ignore all errors it will show X509_V_OK. I'd suggest you try using the s_client application and/or the verify appllication on the chain. Failing that post the chain and CRL and the command line you used. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
