I ran across this as well. Check out this thread:

http://www.mail-archive.com/[EMAIL PROTECTED]/msg31473.html


austin

----- Original Message ----- 
From: "Jue (Jacky) Shu" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, July 15, 2003 11:29 AM
Subject: CRL problem


> Hi all,
> 
> I'm trying to implement CRL in my server program.
> If I don't use CRL, server runs well.
> After I load CRL file, I get the following errors
> 
> -Error with certificate at depth: 0
>   issuer   = /C=AA/ST=BB/L=CC/O=DD/CN=Root CA
>   subject  = /C=AA/ST=BB/L=CC/O=DD/CN=EE
>   err 3:unable to get certificate CRL
> ** server.c:166 Error accepting SSL connection
> 
> the CRL file I loaded is in PEM format, sth like this:
> --------BEGIN X509 CRL----------------
> asdflasf
> --------END X509 CRL------------------
> 
> 
> the following function set up server ctx and store, no error returns
> from it(no error for crl loading, right?). I got the above error from
> SSL_accept().
> SSL_CTX *setup_server_ctx(void)
> {
>     SSL_CTX *ctx;
>     X509_STORE *store;
>     X509_LOOKUP *lookup;
> 
>     ctx = SSL_CTX_new(SSLv23_method(  ));
>     if (SSL_CTX_load_verify_locations(ctx, CAFILE, CADIR) != 1)
>         int_error("Error loading CA file and/or directory");
>     if (SSL_CTX_set_default_verify_paths(ctx) != 1)
>         int_error("Error loading default CA file and/or directory");
>     if (SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) != 1)
>         int_error("Error loading certificate from file");
>     if (SSL_CTX_use_PrivateKey_file(ctx, CERTFILE, SSL_FILETYPE_PEM) !=
> 1)
>         int_error("Error loading private key from file");
>     SSL_CTX_set_verify(ctx,
> SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
>                        verify_callback);
>     SSL_CTX_set_verify_depth(ctx, 4);
>     SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 |
>                              SSL_OP_SINGLE_DH_USE);
>     SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_callback);
>     if (SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) != 1)
>         int_error("Error setting cipher list (no valid ciphers)");
> 
> //Enable CRL
>     store = SSL_CTX_get_cert_store(ctx);
>     if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())))
>         int_error("Error creating X509_LOOKUP object");
>     if (X509_load_crl_file(lookup, CRLFILE, X509_FILETYPE_PEM) != 1)
>         int_error("Error reading the CRL file");
>     X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
> X509_V_FLAG_CRL_CHECK_ALL);
>     return ctx;
> }
> }
> 
> 
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to