Hi, I'm having a problem where my 'server' code verifies a client as OK, even though their cert was revoked.
I've tested my client against openssl s_server, which properly states: verify error:num=23:certificate revoked, so I know the cert/ca is setup OK. Some relevant server code: /* set verify params */ SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,NULL); SSL_CTX_set_verify_depth(ctx,1); //played with different values, doesn't have an effect /* wait for connection */ if(BIO_do_accept(abio) <= 0) { //cleanup and exit } //process concetion (prob on a neew thread) out = BIO_pop(abio); //do SSL handshake if(BIO_do_handshake(out) <= 0){ printf("Handshake failed.\n"); ERR_print_errors_fp(stdout); //cut some cleanup… return -1;} //validate cert... SSL *ssl2; BIO_get_ssl(out,&ssl2); //verify conn if(SSL_get_verify_result(ssl2) != X509_V_OK) { //never gets here } else printf("verified ok %ld\n",SSL_get_verify_result(ssl2)); So it always prints "verified ok 0" - which is the verified code. Any ideas?? Thanks!! -- View this message in context: http://old.nabble.com/A-%28client%27s%29-revoked-certificate-verifies-as-OK-%21-%21%21-tp32695926p32695926.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org