Hello,
I have an application with a simple init code :
SSL_CTX *ctx;
X509_STORE *store;
X509_LOOKUP *lookup;
(...)
store = SSL_CTX_get_cert_store(ctx);
lookup = X509_STORE_add_lookup(store,
X509_LOOKUP_hash_dir());
X509_LOOKUP_add_dir(lookup, ca_path, X509_FILETYPE_PEM)
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL)
(...)
The certificate verification chain is ok, CRL are checked, etc.
Now I have to revoke a certificate : I build a new CRL. But, if I simply
update the CRL file in "ca_path" without restart the server, OpenSSL
continue to accept the certificate.
If I restart the server, it's ok : the certificate is revoked...
In fact, "openssl s_server -CApath ..." have the same issue.
How can I tell my server to update the X509_STORE when a file is updated
in ca_path ? Or is there any option to set a "time to live" for a store?
Thanks,
--
Thomas
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
