I have a secure client application that loads a pkcs12
file containing client cert, client key, and trusted
root CA's. It works perfectly, connecting only to
servers signed by the trusted CA's.
However, when I load a single CRL file, then all
connections fail:
"unable to get certificate CRL"
"SSL_connect error 1,
error:00000001:lib(0):func(0):reason(1)"
"SSL error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed"
The certificates are generated with CA.pl, and the CRL
with openssl CA utilities.
The code to load the CRL (with error checking removed
here), assuming pSSL_CTX is the SSL context and
file.crl is the CRL file:
-----
X509_STORE *pStore = SSL_CTX_get_cert_store( pSSL_CTX
);
X509_LOOKUP *pLookup = X509_STORE_add_lookup(
pStore, X509_LOOKUP_file()
);
X509_load_crl_file( pLookup, "file.crl",
X509_FILETYPE_ASN1)
X509_STORE_set_flags(
pStore, X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL
);
----
Am I missing a step or doing something incorrectly?
I am running OpenSSL 0.9.7d 17 Mar 2004 on Solaris 10
(Sparc).
-David
__________________________________
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
