On Thu, Feb 04, 2010, Adam Grossman wrote: > hello once again, > > i am trying to get CRLs working for client certs. i have read about a > million different ways of doing this, but this is how i am doing it: > > X509_CRL *x509_c; > X509_STORE *store = SSL_CTX_get_cert_store(ctx); > X509_LOOKUP* lu = X509_STORE_add_lookup(store, X509_LOOKUP_file()); > > X509_load_cert_crl_file(lu,<file name>,X509_FILETYPE_PEM); > X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | > X509_V_FLAG_CRL_CHECK_ALL); > > and when the server recieves the peer cert, i do: > > peer = SSL_get_peer_certificate(ssl); > SSL_get_verify_result(ssl); > > but certs in the CRL are being verified. what am i doing wrong? > > just as a warning, once this is setup, i have a few more follow > questions. >
What happens if you don't include the CRLs? You should get an error about it being unable to lookup the CRL. Can you get this to work with s_server? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org