Hi all, I'm trying to implement CRL in my server program. If I don't use CRL, server runs well. After I load CRL file, I get the following errors
-Error with certificate at depth: 0 issuer = /C=AA/ST=BB/L=CC/O=DD/CN=Root CA subject = /C=AA/ST=BB/L=CC/O=DD/CN=EE err 3:unable to get certificate CRL ** server.c:166 Error accepting SSL connection the CRL file I loaded is in PEM format, sth like this: --------BEGIN X509 CRL---------------- asdflasf --------END X509 CRL------------------ the following function set up server ctx and store, no error returns from it(no error for crl loading, right?). I got the above error from SSL_accept(). SSL_CTX *setup_server_ctx(void) { SSL_CTX *ctx; X509_STORE *store; X509_LOOKUP *lookup; ctx = SSL_CTX_new(SSLv23_method( )); if (SSL_CTX_load_verify_locations(ctx, CAFILE, CADIR) != 1) int_error("Error loading CA file and/or directory"); if (SSL_CTX_set_default_verify_paths(ctx) != 1) int_error("Error loading default CA file and/or directory"); if (SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) != 1) int_error("Error loading certificate from file"); if (SSL_CTX_use_PrivateKey_file(ctx, CERTFILE, SSL_FILETYPE_PEM) != 1) int_error("Error loading private key from file"); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); SSL_CTX_set_verify_depth(ctx, 4); SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_SINGLE_DH_USE); SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_callback); if (SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) != 1) int_error("Error setting cipher list (no valid ciphers)"); //Enable CRL store = SSL_CTX_get_cert_store(ctx); if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()))) int_error("Error creating X509_LOOKUP object"); if (X509_load_crl_file(lookup, CRLFILE, X509_FILETYPE_PEM) != 1) int_error("Error reading the CRL file"); X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); return ctx; } } ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]