The Questions:
--------------
1) Is there any way to validate what's in a CRL? Something akin to openssl x509 -text, for CRLs would be awesome.
2) Why is OpenSSL not seeing revoked certificates in my CRL?
The Background: --------------- I create a CRL using:
openssl ca -gencrl -out crl2.pem -revoke client1.pem
I then use c_rehash to generate the symbolic links to my CA file and CRL.
In my server I set the CA cert SSL_CTX_set_client_CA_list(), SSL_CTX_load_verify_locations. I call SSL_CTX_set_verify() and then set the CRL bits using:
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
The Observations:
-----------------
I find that my server is not rejecting a revoked client certificate. I followed the execution in a debugger and I saw that the correct CRL file is indeed loaded by X509_load_crl_file(). When I look at the X509_CRL* that is loaded, I see the following:
{version = 0x0, sig_alg = 0x8a7cac4, issuer = 0x8a7cae4,
lastUpdate = 0x8a7cb8c, nextUpdate = 0x8a7d02c, revoked = 0x0,
extensions = 0x0}
Note the bit about "revoked". I think that this is telling me that there are no revoked certs in my CRL.
When my client connection request comes in, my server invokes cert_crl() which calls sk_X509_REVOKED_find(). This fails to find the client cert (since revoked is 0) and the client connection is accepted.
So I'm pretty sure that there's something wrong with my CRL.
Note: -----
If I try to revoke the client cert again, I get this: > openssl ca -gencrl -out crl3.pem -revoke client1.pem Using configuration from /usr/pubsw/apps/openssl/openssl.cnf Enter PEM pass phrase: ERROR:Already revoked, serial number 02
So I'm pretty sure that my CA knows that the client cert has been revoked.
Thanks David
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
