OK I found my problem verifying my crl. Pb was that certificate where
signed by CA root instead of CA.
thank for CAfile option that verify CRL
michael Dorrian <[EMAIL PROTECTED]>
Envoyé par : [EMAIL PROTECTED]
23/03/2006 02:38
Veuillez répondre à openssl-users
Pour : openssl-users@openssl.org
cc :
Objet : Re: SSLCARevocationFile
sorry was a typo in the last post......
# openssl ca revoke file.pem
# openssl ca -gencrl -out revokefile.crl
# openssl crl -in revokefile.crl -noout -CAfile file.pem
michael Dorrian <[EMAIL PROTECTED]> wrote:
try this:
# openssl ca revoke file.pem
# openssl ca -gencrl -out revokefile.crl
# openssl crl -in exampleca.crl -noout -CAfile file.pem
[EMAIL PROTECTED] wrote:
Hello
I built a web server with apache 2.xx. Access is secure with
SSLVerifyClient directive
When I revoke a certificate and then generate my CRL, I can verify that
the certificate has been well revocated and is part of the CRL with the
following commands :
openssl ca -config openssl.cnf -revoke file.pem
openssl ca -config openssl.cnf -gencrl -out crl.pem -crldays 30
And :
openssl crl -in crl.pem -text
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: /C=FR/ST=RHONE
ALPE/L=LYON/O=DGI/CN=ca_root/[EMAIL PROTECTED]
Last Update: Mar 21 12:05:03 2006 GMT
Next Update: Apr 20 12:05:03 2006 GMT
Revoked Certificates:
Serial Number: 02
Revocation Date: Mar 17 13:13:21 2006 GMT
Serial Number: 03
Revocation Date: Mar 17 12:16:19 2006 GMT
Signature Algorithm: md5WithRSAEncryption
73:66:b1:89:22:80:78:a7:c7:d5:ce:d9:5e:35:0b:96:d1:83:
57:3c:4a:c0:9e:30:d4:9a:37:96:79:71:ff:85:48:42:4a:35:
56:f8:d9:fa:d1:ad:c9:74:5d:e8:02:bd:27:2c:6b:77:55:59:
96:07:f1:fc:4d:b8:1b:4c:14:2d:86:84:7c:8b:a7:b0:10:c6:
32:b6:37:d6:f9:41:3a:38:85:61:57:ac:46:76:b0:df:cb:1b:
b3:24:46:6f:8b:32:61:39:4f:b8:6d:ad:75:a2:63:85:7d:56:
f1:2c:3d:0d:f0:c2:d1:d4:9e:a8:2c:86:27:4d:e3:c3:69:8c:
3a:c9:66:f3:44:86:e8:a9:a8:a0:3b:70:23:6f:c8:3e:e1:bf:
2a:15:cf:ed:fb:d4:2d:57:8d:54:f7:53:aa:1a:8b:89:f0:69:
c9:00:dd:8f:bf:73:88:95:86:a4:76:f3:7a:fe:39:44:a9:1c:
9f:41:dd:6e:62:51:0c:43:81:a5:e3:fe:ab:f3:2f:27:a9:c0:
0f:92:a3:ab:da:35:9a:6c:ce:57:eb:61:b8:1c:7f:91:b6:ad:
c0:99:21:bb:30:b8:25:13:5e:b5:fb:ed:e9:55:b3:4c:4a:19:
d8:96:fc:f3:e1:2c:62:a9:80:d5:b3:72:ce:37:5d:36:36:22:
a4:74:e9:c3
-----BEGIN X509 CRL-----
MIIB4TCByjANBgkqhkiG9w0BAQQFADBxMQswCQYDVQQGEwJGUjETMBEGA1UECBMK
UkhPTkUgQUxQRTENMAsGA1UEBxMETFlPTjEMMAoGA1UEChMDREdJMRAwDgYDVQQD
FAdjYV9yb290MR4wHAYJKoZIhvcNAQkBFg9jYV9yb290QGRnaS5jb20XDTA2MDMy
MTEyMDUwM1oXDTA2MDQyMDEyMDUwM1owKDASAgECFw0wNjAzMTcxMzEzMjFaMBIC
AQMXDTA2MDMxNzEyMTYxOVowDQYJKoZIhvcNAQEEBQADggEBAHNmsYkigHinx9XO
2V41C5bRg1c8SsCeMNSaN5Z5cf+FSEJKNVb42frRrcl0XegCvScsa3dVWZYH8fxN
uBtMFC2GhHyLp7AQxjK2N9b5QTo4hWFXrEZ2sN/LG7MkRm+LMmE5T7htrXWiY4V9
VvEsPQ3wwtHUnqgshidN48NpjDrJZvNEhuipqKA7cCNvyD7hvyoVz+371C1XjVT3
U6oai4nwackA3Y+/c4iVhqR283r+OUSpHJ9B3W5iUQxDgaXj/qvzLyepwA+So6va
NZpszlfrYbgcf5G2rcCZIbswuCUTXrX77elVs0xKGdiW/PPhLGKpgNWzcs43XTY2
IqR06cM=
-----END X509 CRL-----
Problem : I'm still able to connect the server with my revocated
certificate.
Question : I'm not sur that apache take account of my CRL, how can I
verify it ?
Second Question : what can I do so that my revocated certificate is
rejected by the web server ?
My httpd.conf:
DocumentRoot "/var/www/serveur/serverssl/html"
ServerName serverssl
ServerAdmin [EMAIL PROTECTED]
ErrorLog logs/error_ssl_log
TransferLog logs/access_ssl_log
SSLEngine on
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/ssl/cassl/serverssl.pem
SSLCertificateKeyFile /etc/ssl/cassl/serverssl.key
SSLCACertificatePath /etc/ssl/cassl
SSLCACertificateFile /etc/ssl/cassl/trustees.pem
SSLCARevocationFile /etc/ssl/crl/crl.pem
SSLVerifyClient require
SSLVerifyDepth 10
Any help would be great
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+
countries) for 2¢/min or less.
Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
