To verify the CRL openssl crl -in crl.pem -Cafile cacert.pem to verify the crl
To view the contents of the CRL openssl crl -in crl.pem -text > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of David Kramer > Sent: Wednesday, June 04, 2003 12:17 PM > To: [EMAIL PROTECTED] > Subject: CRL doesn't revoke > > > I'm trying to use CRLs but my server is not rejecting > certificates that > are (supposed to be) in my CRL. I'd appreciate any advice that people > might have. > > The Questions: > -------------- > 1) Is there any way to validate what's in a CRL? Something akin to > openssl x509 -text, for CRLs would be awesome. > 2) Why is OpenSSL not seeing revoked certificates in my CRL? > > The Background: > --------------- > I create a CRL using: > > openssl ca -gencrl -out crl2.pem -revoke client1.pem > > I then use c_rehash to generate the symbolic links to my CA > file and CRL. > > In my server I set the CA cert SSL_CTX_set_client_CA_list(), > SSL_CTX_load_verify_locations. I call SSL_CTX_set_verify() > and then set > the CRL bits using: > > X509_STORE_set_flags(store, > X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); > > The Observations: > ----------------- > I find that my server is not rejecting a revoked client > certificate. I > followed the execution in a debugger and I saw that the > correct CRL file > is indeed loaded by X509_load_crl_file(). When I look at the > X509_CRL* > that is loaded, I see the following: > {version = 0x0, sig_alg = 0x8a7cac4, issuer = 0x8a7cae4, > lastUpdate = 0x8a7cb8c, nextUpdate = 0x8a7d02c, revoked = 0x0, > extensions = 0x0} > > Note the bit about "revoked". I think that this is telling me > that there > are no revoked certs in my CRL. > > When my client connection request comes in, my server invokes > cert_crl() > which calls sk_X509_REVOKED_find(). This fails to find the > client cert > (since revoked is 0) and the client connection is accepted. > > So I'm pretty sure that there's something wrong with my CRL. > > Note: > ----- > > If I try to revoke the client cert again, I get this: > > openssl ca -gencrl -out crl3.pem -revoke client1.pem > Using configuration from /usr/pubsw/apps/openssl/openssl.cnf > Enter PEM pass phrase: > ERROR:Already revoked, serial number 02 > > So I'm pretty sure that my CA knows that the client cert has > been revoked. > > Thanks > David > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
