I managed to solve my problem. I just needed to add path to crl file into my squid config (crlfile=/root/sslCA/crls/crl.pem) and now when connecting with revoked certificate I get a message that certificate was revoked and no connection to backend server is established.
Yuriy KoloboK wrote: > > Hello colleagues! > > I need help with revocation of client certificate in OpenSSL (v 0.9.8n). > I have setup a CA with self-signed certificate so I can generate and sign > client certificates which are used to access squid, which in turn forwards > traffic to exchange server. > In squid.conf file there is this line which is responsible for asking > client certificate: > > ## > clientca=/root/sslCA/cacert.pem capath=/root/sslCA > ## > > /root/sslCA/cacert.pem is CA certificate. > > I also created a crl.pem in /root/sslCA/crls/ for certificate revocation. > > The situation is as follows: > > If a client connects without having a client certificate installed it gets > error (Error code: ssl_error_handshake_failure_alert), and no connection > is > established. > If the certificate generated with OpenSSL CA is installed on the client > then it can connect to the server. > So far so good. > > Now I want to disallow one client to connect to the server. > > I revoke the certificate: > # openssl ca -revoke username.crt > Using configuration from /etc/ssl/openssl.cnf > Enter pass phrase for /root/sslCA/private/cakey.pem: > Revoking Certificate 1003. > Data Base Updated > > Update crl: > # openssl ca -gencrl -out /root/sslCA/crls/crl.pem > Using configuration from /etc/ssl/openssl.cnf > Enter pass phrase for /root/sslCA/private/cakey.pem: > > > I check to see if the certificate is revoked: > # openssl crl -in /root/sslCA/crls/crl.pem -noout -text > Certificate Revocation List (CRL): > Version 2 (0x1) > Signature Algorithm: xxxxxx > Issuer: xxxxxx > Last Update: Oct 1 22:04:24 2012 GMT > Next Update: Sep 29 22:04:24 2022 GMT > CRL extensions: > X509v3 CRL Number: > 4098 > Revoked Certificates: > Serial Number: 1003 > Revocation Date: Oct 1 22:02:32 2012 GMT > > > It shows that certificate 1003 is revoked. > > Now I try to connect to the server with this client's certificate and the > connection establishes just fine.. How is it possible??? > I thought if you revoke a certificate it won't be accepted by CA anymore?? > but in my case it is accepted even though CA shows certificate's status as > revoked. > How can I prohibit/invalidate the certificate of the client so it cannot > connect to the server anymore? > > Thank you in advance for any helpful suggestions > Yuriy > > -- View this message in context: http://old.nabble.com/Client-certificate-revocation-is-not-working-tp34502546p34502681.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
