On Thu, Nov 10, 2005, david kine wrote: > Okay, I solved this problem in a very unexpected way. > > First of all, I was using s_server incorrectly. I > neglected to add -CAfile. Doing so caused my > application to get the error "23: certificate revoked" > as expected. > > However, accessing servers which were NOT revoked > still produced the error "3: unable to get certificate > CRL". > > I solved this problem in my SSL verify callback > function by checking for error == 3, and returning > true. In other words, by simply ignoring the error! >
That would mean that a certificate which you didn't have a valid CRL for would be regarded as valid so its not a good idea. Some older versions of OpenSSL didn't process the CRL_CHECK_ALL flag correctly so I'd suggest trying a newer version. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
