On Thu, May 29, 2003, Andreas wrote: > I'm confused regarding the difference between -crl_check and -crl_check_all > when using openssl smime -verify. > > I have a signed email with a Thawte free-mail certificate, it's Mensagem.eml > (attached). > I signed it with mozilla. The hierarchy is the following: > > Thawte Personal Freemail CA > Personal Freemail RSA 2000.8.30 > Thawte Freemail Member <--- that's my certificate > > $ openssl smime -in Mensagem.eml -verify -out /dev/null -CApath mycerts/ > > Verification successful > > I have downloaded Thawte's CRLs from their site: > $ l mycerts/*Thawte*crl* > -rw-rw-r-- 1 andreas andreas 597 2003-05-20 18:22 > mycerts/ThawtePersonalBasicCA.crl.pem > -rw-rw-r-- 1 andreas andreas 580905 2003-05-20 18:23 > mycerts/ThawtePersonalFreemailRSA2000830.crl.pem > -rw-rw-r-- 1 andreas andreas 10607 2003-05-20 18:23 > mycerts/ThawteServerCA.crl.pem > > They all have the symlinks set with c_rehash. > > The following doesn't work: > $ openssl smime -in Mensagem.eml -verify -out /dev/null -CApath mycerts/ -crl_check > Verification failure > 12333:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify > error:pk7_smime.c:222:Verify error:unable to get certificate CRL > > Using strace, I can see that openssl is trying to open a crl for the first CA (the > one at > the top of the hierarchy), as well as a crl for the RSA CA. This CRL I have, but not > the > CRL for the first CA. > > However, using -crl_check_all, it "works": > $ openssl smime -in Mensagem.eml -verify -out /dev/null -CApath mycerts/ > -crl_check_all > Verification successful > > Here, strace shows it only opening the crl for the RSA CA. According to the > description of > these parameters: > $ openssl smime 2>&1|grep crl > -crl_check check revocation status of signer's certificate using CRLs > -crl_check_all check revocation status of signer's certificate chain using CRLs > > I would think crl_check_all would check the whole chain, but it seems that crl_check > is doing > that instead. Any hints? >
Are you sure that's OpenSSL 0.9.7b? There was a bug in 0.9.7a and before that got those the wrong way round but I thought it had been fixed for 0.9.7b. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
