Thx austin, 
i searched the mail-list and read the same thread. :-)
My problem still exists because no matter i use a revoked certificate on
client side or not, i get the same error if i enable crl check. so i
think there must be sth. wrong in my code. i just combined the two
examples from <<Network Security with OpenSSL>> together.

Jacky

On 2003-07-15 at 11:32, Austin Krauss wrote:
> I ran across this as well. Check out this thread:
> 
> http://www.mail-archive.com/[EMAIL PROTECTED]/msg31473.html
> 
> 
> austin
> 
> ----- Original Message ----- 
> From: "Jue (Jacky) Shu" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, July 15, 2003 11:29 AM
> Subject: CRL problem
> 
> 
> > Hi all,
> > 
> > I'm trying to implement CRL in my server program.
> > If I don't use CRL, server runs well.
> > After I load CRL file, I get the following errors
> > 
> > -Error with certificate at depth: 0
> >   issuer   = /C=AA/ST=BB/L=CC/O=DD/CN=Root CA
> >   subject  = /C=AA/ST=BB/L=CC/O=DD/CN=EE
> >   err 3:unable to get certificate CRL
> > ** server.c:166 Error accepting SSL connection
> > 
> > the CRL file I loaded is in PEM format, sth like this:
> > --------BEGIN X509 CRL----------------
> > asdflasf
> > --------END X509 CRL------------------
> > 
> > 
> > the following function set up server ctx and store, no error returns
> > from it(no error for crl loading, right?). I got the above error from
> > SSL_accept().
> > SSL_CTX *setup_server_ctx(void)
> > {
> >     SSL_CTX *ctx;
> >     X509_STORE *store;
> >     X509_LOOKUP *lookup;
> > 
> >     ctx = SSL_CTX_new(SSLv23_method(  ));
> >     if (SSL_CTX_load_verify_locations(ctx, CAFILE, CADIR) != 1)
> >         int_error("Error loading CA file and/or directory");
> >     if (SSL_CTX_set_default_verify_paths(ctx) != 1)
> >         int_error("Error loading default CA file and/or directory");
> >     if (SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) != 1)
> >         int_error("Error loading certificate from file");
> >     if (SSL_CTX_use_PrivateKey_file(ctx, CERTFILE, SSL_FILETYPE_PEM) !=
> > 1)
> >         int_error("Error loading private key from file");
> >     SSL_CTX_set_verify(ctx,
> > SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
> >                        verify_callback);
> >     SSL_CTX_set_verify_depth(ctx, 4);
> >     SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 |
> >                              SSL_OP_SINGLE_DH_USE);
> >     SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_callback);
> >     if (SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) != 1)
> >         int_error("Error setting cipher list (no valid ciphers)");
> > 
> > //Enable CRL
> >     store = SSL_CTX_get_cert_store(ctx);
> >     if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())))
> >         int_error("Error creating X509_LOOKUP object");
> >     if (X509_load_crl_file(lookup, CRLFILE, X509_FILETYPE_PEM) != 1)
> >         int_error("Error reading the CRL file");
> >     X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
> > X509_V_FLAG_CRL_CHECK_ALL);
> >     return ctx;
> > }
> > }
> > 
> > 
> > ______________________________________________________________________
> > OpenSSL Project                                 http://www.openssl.org
> > User Support Mailing List                    [EMAIL PROTECTED]
> > Automated List Manager                           [EMAIL PROTECTED]
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to