On Thu, Aug 26, 2004, Joseph Bruni wrote: > I wrote a bit earlier about a problem I'm having with regards to a server > that is verifying client certificates against a CRL. I currently have about > 2000 clients connected simultaneously. Without reason, the CRL object in my > SSL_CTX goes bad and all new connection fail with the following error chain: > > X509_verify_cert_error_string() = CRL signature failure > > ### error:04077068:rsa routines:RSA_verify:bad signature ### > error:0D089006:asn1 encoding routines:ASN1_verify:EVP lib ### > error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate > returned > > Only by bouncing the process can I get things working again. After removing > the code that adds CRL checking to my SSL_CTX the server runs fine, but I > obviously can no longer reject clients with revoked certs. > > In the OpenSSL book, the example that shows how to add CRL checking went > through the process of adding a "file lookup" to the X509_STORE object. > After poking around in the openssl source code a bit, I found a function > called X509_STORE_add_crl(). Could the CRL object corruption be related to > using the lookup? Would it be better to explicitly read in the X509_CRL > object using a PEM_read function and then call this function to add it to > the store? Or are these two methods equivalent? > > I also looked through the s_server and s_client code for examples on how to > add a CRL but couldn't find anything; just the setting of the flags when > -crl_check is on the command line. > > Bottom line, what is the proper way to do CRL checking? >
There shouldn't be a problem with the technique you are using. When a CRL is first looked up it is added to a cache and stays there, so apart form the intitial lookup there aren't any differences. It would help if you can dump out the CRL when you get this error to see if the CRL is really corrupted or something else strange is happening. Then use the CRL utility manually on the CRL to see if it verifies OK. You can do this by adding a PEM_write_X509_CRL() inside the verify callback triggered by the CRL signature error code. If that's not clear let me know and I'll give more details. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
