On Thu, Feb 04, 2010, Adam Grossman wrote: > On Thu, 2010-02-04 at 18:09 +0100, Dr. Stephen Henson wrote: > > On Thu, Feb 04, 2010, Adam Grossman wrote: > > > > > hello once again, > > > > > > i am trying to get CRLs working for client certs. i have read about a > > > million different ways of doing this, but this is how i am doing it: > > > > > > X509_CRL *x509_c; > > > X509_STORE *store = SSL_CTX_get_cert_store(ctx); > > > X509_LOOKUP* lu = X509_STORE_add_lookup(store, X509_LOOKUP_file()); > > > > > > X509_load_cert_crl_file(lu,<file name>,X509_FILETYPE_PEM); > > > X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | > > > X509_V_FLAG_CRL_CHECK_ALL); > > > > > > and when the server recieves the peer cert, i do: > > > > > > peer = SSL_get_peer_certificate(ssl); > > > SSL_get_verify_result(ssl); > > > > > > but certs in the CRL are being verified. what am i doing wrong? > > > > > > just as a warning, once this is setup, i have a few more follow > > > questions. > > > > > > > What happens if you don't include the CRLs? You should get an error about it > > being unable to lookup the CRL. > > > > Can you get this to work with s_server? > > > > Steve. > > if i do not include the CRLs, a get this error from the browser (Error > code: ssl_error_unknown_ca_alert). > > i need this to work if there is no CRL for the CA, to let it through, > and if there is, look it up. i do not even have a problem doing it by > hand (verifying the serial # of the peer cert against known ones in the > CRL lists), but i could not find a way to pull the serial numbers out of > the CRLs. > > i am not sure what i am looking for in s_server. i ran it, it printed > out the HTTP request, and nothing else. it did give a "bad > gethostbyaddr", but i do not know if that has anything to with it. >
Include the -crl_check and -crl_check_all arguments to s_server. You can also include the -www option which causes it to send a status page back to the browser. Any CRLs can be included in the -CAfile file. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org