On Thu, 2010-02-04 at 18:09 +0100, Dr. Stephen Henson wrote: > On Thu, Feb 04, 2010, Adam Grossman wrote: > > > hello once again, > > > > i am trying to get CRLs working for client certs. i have read about a > > million different ways of doing this, but this is how i am doing it: > > > > X509_CRL *x509_c; > > X509_STORE *store = SSL_CTX_get_cert_store(ctx); > > X509_LOOKUP* lu = X509_STORE_add_lookup(store, X509_LOOKUP_file()); > > > > X509_load_cert_crl_file(lu,<file name>,X509_FILETYPE_PEM); > > X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | > > X509_V_FLAG_CRL_CHECK_ALL); > > > > and when the server recieves the peer cert, i do: > > > > peer = SSL_get_peer_certificate(ssl); > > SSL_get_verify_result(ssl); > > > > but certs in the CRL are being verified. what am i doing wrong? > > > > just as a warning, once this is setup, i have a few more follow > > questions. > > > > What happens if you don't include the CRLs? You should get an error about it > being unable to lookup the CRL. > > Can you get this to work with s_server? > > Steve.
if i do not include the CRLs, a get this error from the browser (Error code: ssl_error_unknown_ca_alert). i need this to work if there is no CRL for the CA, to let it through, and if there is, look it up. i do not even have a problem doing it by hand (verifying the serial # of the peer cert against known ones in the CRL lists), but i could not find a way to pull the serial numbers out of the CRLs. i am not sure what i am looking for in s_server. i ran it, it printed out the HTTP request, and nothing else. it did give a "bad gethostbyaddr", but i do not know if that has anything to with it. thank you, -=- adam grossman ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org