On Tue, Aug 17, 2004, Joseph Bruni wrote: > I have a server that runs with many (1500) long-duration SSL connections. I am using > CRLs and have the CRL checking enabled when I'm building my SSL_CTX using the > following code: > > X509_STORE* store = SSL_CTX_get_cert_store(ctx); > if ( !store ) { > ERR_print_errors_syslog(LOG_ERR); > throw std::runtime_error("SSL_CTX_get_cert_store"); > } > > X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); > if ( !lookup ) { > ERR_print_errors_syslog(LOG_ERR); > throw std::runtime_error("X509_STORE_add_lookup"); > } > if (X509_load_crl_file(lookup,"crl.pem", > X509_FILETYPE_PEM) != 1) > { > ERR_print_errors_syslog(LOG_ERR); > throw std::runtime_error("X509_load_crl_file"); > } > > X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK); > > > The problem is that after running for several hours, all new connections start > getting rejected with a "certificate revoked" error. The actual error message also > shows that the RSA signature on the CRL has gone bad. Restarting the system or even > causing a rebuild of the SSL_CTX allows things to proceed. > > Are there any known issues in 0.9.7d on OS X that might cause the CRL object to > become corrupt? >
Nothing I know of. The CRL might expire which would cause errors but not certificate revoked or signature errors. Steve -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]