They are US. gov't certificates & CRLs, so providing them is a little complicated. Before I had the proper root & intermediate CAs loaded and hashed, I would get errors about missing certs in the chain. Similarly, before I loaded the CRL, it would have issues.
The CERTs are in PEM formats, as well as the CRLs. On Wed, Dec 5, 2012 at 10:23 AM, Erwann Abalea <erwann.aba...@keynectis.com> wrote: > OpenSSL 1.0.1 works fine here, both with expired and revoked certificates > (i.e. correctly reports the status). > Could you share your elements (certs, CRLs)? > > -- > Erwann ABALEA > ----- > chlorophytophonie: musique pour les plantes vertes > > Le 05/12/2012 15:11, Will Nordmeyer a écrit : > >> Hi, I've done some googling and failed to come up with an answer... >> >> I have openssl 1.0.0-25 (also seeing it as 1.0.0-fips) installed on >> a test server running CentOS 6.3 (2.6.32-279.14.1.el6.x86_64). It is >> the latest one avaialble from the CentOS repositories. >> >> I've downloaded and set up several Certificate Authorities as trusted >> certs and their accompanying CRLs. I've created the hash links for >> the CRLs and CAs as well. >> >> When I run a test on some test certificates I received, they all come >> back OK, even though some are expired and some are revoked. >> >> I've run the following verify command and expected different results >> to flag TestOne as valid, TestThirtySeven as Revoked and TestForty as >> expired. >> >> I also tried crl_check_all and purpose flags, with no different results. >> >> [root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose >> TestOne_Valid.pem >> TestOne_Valid.pem: OK >> [root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose >> TestForty_Expired.pem >> TestForty_Expired.pem: OK >> [root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose >> TestThirtySeven_Revoked.pem >> TestThirtySeven_Revoked.pem: OK >> [root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose >> -purpose sslclient TestOne_Valid.pem >> TestOne_Valid.pem: OK >> [root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose >> -purpose sslclient TestForty_Expired.pem >> TestForty_Expired.pem: OK >> [root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose >> -purpose sslclient TestThirtySeven_Revoked.pem >> TestThirtySeven_Revoked.pem: OK >> [root@dmapsdev01 TestCerts]# >> >> Similarly, when I run from a browser, with tomcat configured for CRL >> checking (using APR & tcnative), tomcat lets the expired and revoked >> certificates pass. > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org