CRL rejecting everything

Wed, 04 Jun 2003 09:33:40 -0700

I'm using client certificate verification via SSL_CTX_set_client_CA_list() and SSL_CTX_load_verify_locations(). I'd like to add CRLs. The only way that I've found to do this is to call:

      X509_STORE *store = SSL_CTX_get_cert_store(ctx);
      X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);

When I do this, my server starts rejecting all client certificates. I've verified that my client certificates are accepted if I don't set the flag, but rejected if I do. In this case, I don't have a CRL file at all!

An ssldump is below, I'd appreciate any advice on what I might be doing wrong, or if there is another way to manage CRLs.

Thx
David
------------

New TCP connection #65: foo.bar.com(3492) <-> bas.bar.com(12346)
65 1  8.6646 (8.6646)  C>S SSLv2 compatible client hello
  Version 3.1
  cipher suites
  TLS_RSA_WITH_RC4_128_MD5
  SSL2_CK_RC4
  TLS_RSA_WITH_RC4_128_SHA
  TLS_RSA_WITH_3DES_EDE_CBC_SHA
65 2  8.6649 (0.0003)  S>C  Handshake
      ServerHello
        Version 3.1
        session_id[32]=
          26 1a d1 61 e8 53 6c 8f f1 55 12 25 c6 41 71 bd
          df 07 07 a9 18 f5 02 de 87 5d f5 60 db 12 67 46
        cipherSuite         TLS_RSA_WITH_RC4_128_MD5
        compressionMethod                   NULL
65 3  8.6649 (0.0000)  S>C  Handshake
      Certificate
65 4  8.6649 (0.0000)  S>C  Handshake
      CertificateRequest
        certificate_types                   rsa_sign
        certificate_types                   dss_sign
        certificate_authority
          30 45 31 0b 30 09 06 03 55 04 06 13 02 41 55 31
          13 30 11 06 03 55 04 08 13 0a 53 6f 6d 65 2d 53
          74 61 74 65 31 21 30 1f 06 03 55 04 0a 13 18 49
          6e 74 65 72 6e 65 74 20 57 69 64 67 69 74 73 20
          50 74 79 20 4c 74 64
      ServerHelloDone
65 5  8.6728 (0.0078)  C>S  Handshake
      Certificate
65 6  8.6728 (0.0000)  C>S  Handshake
      ClientKeyExchange
65 7  8.6728 (0.0000)  C>S  Handshake
      CertificateVerify
        Signature[128]=
          37 b9 68 d8 64 e7 ef ae 77 1a 68 38 cd 28 13 52
          b2 d5 ca e9 fc 5e f8 a7 e8 a6 2d 42 09 e9 5e 7d
          1a b7 c8 0a d7 be 04 80 3d c1 9a 51 fc d7 8a d1
          9b 2d 27 f5 33 56 b7 31 ae 6d 7c 11 ed fe 37 6e
          4b d1 a9 b8 4f fc 6b c1 4c 13 e5 f1 77 e9 8a c3
          e5 b0 91 1b af a6 29 d8 79 ee 27 95 08 f7 c3 03
          e1 09 73 ef b1 43 d8 f2 d8 7f b1 9d 73 5c 2c 3f
          0c bc 3e f1 ee 5f 5b 98 9b c1 72 4a 6b 08 ca c9
65 8  8.6728 (0.0000)  C>S  ChangeCipherSpec
65 9  8.6728 (0.0000)  C>S  Handshake
65 10 8.6766 (0.0038)  S>C  Alert
    level           fatal
    value           unknown_ca
65    8.6768 (0.0002)  S>C  TCP RST

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to