Hi all,

I'm trying to implement CRL in my server program.
If I don't use CRL, server runs well.
After I load CRL file, I get the following errors

-Error with certificate at depth: 0
  issuer   = /C=AA/ST=BB/L=CC/O=DD/CN=Root CA
  subject  = /C=AA/ST=BB/L=CC/O=DD/CN=EE
  err 3:unable to get certificate CRL
** server.c:166 Error accepting SSL connection

the CRL file I loaded is in PEM format, sth like this:
--------BEGIN X509 CRL----------------
asdflasf
--------END X509 CRL------------------


the following function set up server ctx and store, no error returns
from it(no error for crl loading, right?). I got the above error from
SSL_accept().
SSL_CTX *setup_server_ctx(void)
{
    SSL_CTX *ctx;
    X509_STORE *store;
    X509_LOOKUP *lookup;

    ctx = SSL_CTX_new(SSLv23_method(  ));
    if (SSL_CTX_load_verify_locations(ctx, CAFILE, CADIR) != 1)
        int_error("Error loading CA file and/or directory");
    if (SSL_CTX_set_default_verify_paths(ctx) != 1)
        int_error("Error loading default CA file and/or directory");
    if (SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) != 1)
        int_error("Error loading certificate from file");
    if (SSL_CTX_use_PrivateKey_file(ctx, CERTFILE, SSL_FILETYPE_PEM) !=
1)
        int_error("Error loading private key from file");
    SSL_CTX_set_verify(ctx,
        SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
                       verify_callback);
    SSL_CTX_set_verify_depth(ctx, 4);
    SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 |
                             SSL_OP_SINGLE_DH_USE);
    SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_callback);
    if (SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) != 1)
        int_error("Error setting cipher list (no valid ciphers)");

//Enable CRL
    store = SSL_CTX_get_cert_store(ctx);
    if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())))
        int_error("Error creating X509_LOOKUP object");
    if (X509_load_crl_file(lookup, CRLFILE, X509_FILETYPE_PEM) != 1)
        int_error("Error reading the CRL file");
    X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
        X509_V_FLAG_CRL_CHECK_ALL);
    return ctx;
}
}


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to