I ran across this as well. Check out this thread:
http://www.mail-archive.com/[EMAIL PROTECTED]/msg31473.html
austin
----- Original Message -----
From: "Jue (Jacky) Shu" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, July 15, 2003 11:29 AM
Subject: CRL problem
> Hi all,
>
> I'm trying to implement CRL in my server program.
> If I don't use CRL, server runs well.
> After I load CRL file, I get the following errors
>
> -Error with certificate at depth: 0
> issuer = /C=AA/ST=BB/L=CC/O=DD/CN=Root CA
> subject = /C=AA/ST=BB/L=CC/O=DD/CN=EE
> err 3:unable to get certificate CRL
> ** server.c:166 Error accepting SSL connection
>
> the CRL file I loaded is in PEM format, sth like this:
> --------BEGIN X509 CRL----------------
> asdflasf
> --------END X509 CRL------------------
>
>
> the following function set up server ctx and store, no error returns
> from it(no error for crl loading, right?). I got the above error from
> SSL_accept().
> SSL_CTX *setup_server_ctx(void)
> {
> SSL_CTX *ctx;
> X509_STORE *store;
> X509_LOOKUP *lookup;
>
> ctx = SSL_CTX_new(SSLv23_method( ));
> if (SSL_CTX_load_verify_locations(ctx, CAFILE, CADIR) != 1)
> int_error("Error loading CA file and/or directory");
> if (SSL_CTX_set_default_verify_paths(ctx) != 1)
> int_error("Error loading default CA file and/or directory");
> if (SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) != 1)
> int_error("Error loading certificate from file");
> if (SSL_CTX_use_PrivateKey_file(ctx, CERTFILE, SSL_FILETYPE_PEM) !=
> 1)
> int_error("Error loading private key from file");
> SSL_CTX_set_verify(ctx,
> SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
> verify_callback);
> SSL_CTX_set_verify_depth(ctx, 4);
> SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 |
> SSL_OP_SINGLE_DH_USE);
> SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_callback);
> if (SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) != 1)
> int_error("Error setting cipher list (no valid ciphers)");
>
> //Enable CRL
> store = SSL_CTX_get_cert_store(ctx);
> if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())))
> int_error("Error creating X509_LOOKUP object");
> if (X509_load_crl_file(lookup, CRLFILE, X509_FILETYPE_PEM) != 1)
> int_error("Error reading the CRL file");
> X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
> X509_V_FLAG_CRL_CHECK_ALL);
> return ctx;
> }
> }
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
