On Wed, Mar 16, 2011, Jeff Saremi wrote: > So as per previous posts, I implemented lookup_crl(). > Now one of the major problems is what do I return from this method, if > the certificate has no CRL distribution points! > Returning an empty stack causes get_crl_delta() to fail. > Is there a flag that I can setup to let this cert be excluded from CRL > checking? > Is that something I should be doing in lookup_crl? Or should the > framework be smart enough not to even ask me for a CRL in this case? >
There are other "out of band" mechanisms where a CRL might be available but not mentioned in a CRLDP. OpenSSL has no way of telling what those might be and if the absence is really an error or not. The best you can do is trap the issuer error in the verify callback and ignore it if appropriate. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org