On Thu, 2010-02-04 at 20:17 +0100, Dr. Stephen Henson wrote:
> On Thu, Feb 04, 2010, Adam Grossman wrote:
>
> > On Thu, 2010-02-04 at 18:09 +0100, Dr. Stephen Henson wrote:
> > > On Thu, Feb 04, 2010, Adam Grossman wrote:
> > >
> > > > hello once again,
> > > >
> > > > i am trying to get CRLs working for client certs. i have read about a
> > > > million different ways of doing this, but this is how i am doing it:
> > > >
> > > > X509_CRL *x509_c;
> > > > X509_STORE *store = SSL_CTX_get_cert_store(ctx);
> > > > X509_LOOKUP* lu = X509_STORE_add_lookup(store, X509_LOOKUP_file());
> > > >
> > > > X509_load_cert_crl_file(lu,<file name>,X509_FILETYPE_PEM);
> > > > X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK |
> > > > X509_V_FLAG_CRL_CHECK_ALL);
> > > >
> > > > and when the server recieves the peer cert, i do:
> > > >
> > > > peer = SSL_get_peer_certificate(ssl);
> > > > SSL_get_verify_result(ssl);
> > > >
> > > > but certs in the CRL are being verified. what am i doing wrong?
> > > >
> > > > just as a warning, once this is setup, i have a few more follow
> > > > questions.
> > > >
> > >
> > > What happens if you don't include the CRLs? You should get an error about
> > > it
> > > being unable to lookup the CRL.
> > >
> > > Can you get this to work with s_server?
> > >
> > > Steve.
> >
> > if i do not include the CRLs, a get this error from the browser (Error
> > code: ssl_error_unknown_ca_alert).
> >
> > i need this to work if there is no CRL for the CA, to let it through,
> > and if there is, look it up. i do not even have a problem doing it by
> > hand (verifying the serial # of the peer cert against known ones in the
> > CRL lists), but i could not find a way to pull the serial numbers out of
> > the CRLs.
> >
> > i am not sure what i am looking for in s_server. i ran it, it printed
> > out the HTTP request, and nothing else. it did give a "bad
> > gethostbyaddr", but i do not know if that has anything to with it.
> >
>
> Include the -crl_check and -crl_check_all arguments to s_server. You can also
> include the -www option which causes it to send a status page back to the
> browser. Any CRLs can be included in the -CAfile file.
>
> Steve.
It's kind of hard to do this for this server. The cert is requested
after the 2nd handshake, so unless i am attaching to my server, it's
very hard to use the s_server. i am also trying this from the O'Reilly
openssl book. and for what i need to do, i would prefer to go this
route:
after the handshake is complete;
peer=SSL_get_peer_certificate(ssl);
store=X509_STORE_new();
r=X509_STORE_load_locations(store,NULL,CA_cert_path);
r=X509_STORE_set_default_paths(store);
lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file());
r=X509_load_crl_file(lookup, <CRL File>,X509_FILETYPE_PEM);
X509_STORE_set_flags(store,X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL);
verify_ctx = X509_STORE_CTX_new();
r=X509_STORE_CTX_init(verify_ctx,store,peer,NULL);
r=X509_verify_cert(verify_ctx);
and the verify always fails, even when i have a client cert from the
same CA as the CRL, but is not in the revoked list.
thank you so much,
-=- adam grossman
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
