On Tuesday 01. October 2013 02:56:16 you wrote:
> Hi,
> 
> I am very new to OpenSSL.
> 
> I would like to understand how exactly CRL is used.
> 
> Means, lets say, we try to login using gmail.com in any browser. Now we see
> certificates - We see Google Inc is the 1st level and it has a CRL which is
> pointing to one URL.
> 
> I tried to enable wireshark and see if there is any communication, but in
> vain.
> I wanted to know how CRL will be handled?

Basically, if you (your browser) wants to validate a SSL certificate it has to 
check the revocation status of each certificate in the chain (consisting 
usually of three certificates: The root certificate, the CA certificate and the 
server certificate). To do this, it looks if the certificate has either a 
reference to a CRL or to an OCSP server (a protocol which lets you query the 
status of a single certificate) and if it finds one (root certificates usually 
don't have one, all others must have one) contacts on of those.

The reason why you didn't see anything in wireshark is, is that a lot of 
browsers don't query the revocation status at all in their default settings, 
since they value performance over security.

cheers
Mat
 
> The reason I am asking is:
> We have a device which has Qt / webkit based browser on Linux. Now if I want
> enable OpenSSL, as a first and easiest step, compiled qt with "openSSL"
> libraries.
> 
> If somebody point me to links that will be great.
> 
> (I am not sure if this is the right forum to ask this question. If not, my
> apologies )
> 
> 
> 
> 
> 
> --
> View this message in context:
> http://openssl.6102.n7.nabble.com/OpenSSL-CRL-Understanding-tp46712.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [email protected]
> Automated List Manager                           [email protected]

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to