I ran across this as well. Check out this thread: http://www.mail-archive.com/[EMAIL PROTECTED]/msg31473.html
austin ----- Original Message ----- From: "Jue (Jacky) Shu" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, July 15, 2003 11:29 AM Subject: CRL problem > Hi all, > > I'm trying to implement CRL in my server program. > If I don't use CRL, server runs well. > After I load CRL file, I get the following errors > > -Error with certificate at depth: 0 > issuer = /C=AA/ST=BB/L=CC/O=DD/CN=Root CA > subject = /C=AA/ST=BB/L=CC/O=DD/CN=EE > err 3:unable to get certificate CRL > ** server.c:166 Error accepting SSL connection > > the CRL file I loaded is in PEM format, sth like this: > --------BEGIN X509 CRL---------------- > asdflasf > --------END X509 CRL------------------ > > > the following function set up server ctx and store, no error returns > from it(no error for crl loading, right?). I got the above error from > SSL_accept(). > SSL_CTX *setup_server_ctx(void) > { > SSL_CTX *ctx; > X509_STORE *store; > X509_LOOKUP *lookup; > > ctx = SSL_CTX_new(SSLv23_method( )); > if (SSL_CTX_load_verify_locations(ctx, CAFILE, CADIR) != 1) > int_error("Error loading CA file and/or directory"); > if (SSL_CTX_set_default_verify_paths(ctx) != 1) > int_error("Error loading default CA file and/or directory"); > if (SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) != 1) > int_error("Error loading certificate from file"); > if (SSL_CTX_use_PrivateKey_file(ctx, CERTFILE, SSL_FILETYPE_PEM) != > 1) > int_error("Error loading private key from file"); > SSL_CTX_set_verify(ctx, > SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, > verify_callback); > SSL_CTX_set_verify_depth(ctx, 4); > SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | > SSL_OP_SINGLE_DH_USE); > SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_callback); > if (SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) != 1) > int_error("Error setting cipher list (no valid ciphers)"); > > //Enable CRL > store = SSL_CTX_get_cert_store(ctx); > if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()))) > int_error("Error creating X509_LOOKUP object"); > if (X509_load_crl_file(lookup, CRLFILE, X509_FILETYPE_PEM) != 1) > int_error("Error reading the CRL file"); > X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | > X509_V_FLAG_CRL_CHECK_ALL); > return ctx; > } > } > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]