Thx austin, i searched the mail-list and read the same thread. :-) My problem still exists because no matter i use a revoked certificate on client side or not, i get the same error if i enable crl check. so i think there must be sth. wrong in my code. i just combined the two examples from <<Network Security with OpenSSL>> together.
Jacky On 2003-07-15 at 11:32, Austin Krauss wrote: > I ran across this as well. Check out this thread: > > http://www.mail-archive.com/[EMAIL PROTECTED]/msg31473.html > > > austin > > ----- Original Message ----- > From: "Jue (Jacky) Shu" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, July 15, 2003 11:29 AM > Subject: CRL problem > > > > Hi all, > > > > I'm trying to implement CRL in my server program. > > If I don't use CRL, server runs well. > > After I load CRL file, I get the following errors > > > > -Error with certificate at depth: 0 > > issuer = /C=AA/ST=BB/L=CC/O=DD/CN=Root CA > > subject = /C=AA/ST=BB/L=CC/O=DD/CN=EE > > err 3:unable to get certificate CRL > > ** server.c:166 Error accepting SSL connection > > > > the CRL file I loaded is in PEM format, sth like this: > > --------BEGIN X509 CRL---------------- > > asdflasf > > --------END X509 CRL------------------ > > > > > > the following function set up server ctx and store, no error returns > > from it(no error for crl loading, right?). I got the above error from > > SSL_accept(). > > SSL_CTX *setup_server_ctx(void) > > { > > SSL_CTX *ctx; > > X509_STORE *store; > > X509_LOOKUP *lookup; > > > > ctx = SSL_CTX_new(SSLv23_method( )); > > if (SSL_CTX_load_verify_locations(ctx, CAFILE, CADIR) != 1) > > int_error("Error loading CA file and/or directory"); > > if (SSL_CTX_set_default_verify_paths(ctx) != 1) > > int_error("Error loading default CA file and/or directory"); > > if (SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) != 1) > > int_error("Error loading certificate from file"); > > if (SSL_CTX_use_PrivateKey_file(ctx, CERTFILE, SSL_FILETYPE_PEM) != > > 1) > > int_error("Error loading private key from file"); > > SSL_CTX_set_verify(ctx, > > SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, > > verify_callback); > > SSL_CTX_set_verify_depth(ctx, 4); > > SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | > > SSL_OP_SINGLE_DH_USE); > > SSL_CTX_set_tmp_dh_callback(ctx, tmp_dh_callback); > > if (SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) != 1) > > int_error("Error setting cipher list (no valid ciphers)"); > > > > //Enable CRL > > store = SSL_CTX_get_cert_store(ctx); > > if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()))) > > int_error("Error creating X509_LOOKUP object"); > > if (X509_load_crl_file(lookup, CRLFILE, X509_FILETYPE_PEM) != 1) > > int_error("Error reading the CRL file"); > > X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | > > X509_V_FLAG_CRL_CHECK_ALL); > > return ctx; > > } > > } > > > > > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]