On Thu, Nov 10, 2005, david kine wrote: > I tried your suggestion to set only > X509_V_FLAG_CRL_CHECK, but unfortunately it did not > help. Attempting to connect to ANY secure server > still causes the same "unable to get certificate CRL" > error. > > I know that the CRL is loaded successfully, because I > can later extract it from the SSL_CTX and print its > issuer using X509_NAME_oneline( X509_CRL_get_issuer() > ). > > (The original PEM CRL was converted to DER as you > noticed). > > I tried an experiment where I do NOT load the CRL, but > I DO set the X509_V_FLAG_CRL_CHECK flag. The same > error occurs: cannot connect to any secure server, > with the "unable to get certificate CRL" message. > Perhaps this is a clue. > > To summarize, my program works perfectly unless I set > the X509_V_FLAG_CRL_CHECK flag, whether or not I add a > CRL using X509_load_crl_file(). >
Does the CRL cover the server certificate in question? I'd suggest extracting a server chain using the -showcerts option to s_client. The pass the chain to "openssl verify", include the CRL and see if you can get the crl_check option to work with that. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
