Hi,
I'm having a problem where my 'server' code verifies a client as OK, even
though their cert was revoked.
I've tested my client against openssl s_server, which properly states:
verify error:num=23:certificate revoked, so I know the cert/ca is setup OK.
Some relevant server code:
/* set verify params */
SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT,NULL);
SSL_CTX_set_verify_depth(ctx,1); //played with different values, doesn't
have an effect
/* wait for connection */
if(BIO_do_accept(abio) <= 0) { //cleanup and exit }
//process concetion (prob on a neew thread)
out = BIO_pop(abio);
//do SSL handshake
if(BIO_do_handshake(out) <= 0){
printf("Handshake failed.\n");
ERR_print_errors_fp(stdout);
//cut some cleanup…
return -1;}
//validate cert...
SSL *ssl2;
BIO_get_ssl(out,&ssl2);
//verify conn
if(SSL_get_verify_result(ssl2) != X509_V_OK)
{
//never gets here
}
else
printf("verified ok %ld\n",SSL_get_verify_result(ssl2));
So it always prints "verified ok 0" - which is the verified code.
Any ideas??
Thanks!!
--
View this message in context:
http://old.nabble.com/A-%28client%27s%29-revoked-certificate-verifies-as-OK-%21-%21%21-tp32695926p32695926.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
