Hi, AFAIK, OpenSSL has no code to retrieve the CRL from CRL distribution points. The CRL retrieve and update should be done by yourself. However, by putting a PEM encoded CRL to CApath will make OpenSSL load this CRL correctly.
To use CRL, you may retrieve and check CRL at verify_callback, or use an out-of-band manner to retrieve CRL at intervals and put it to CApath. Thanks, Zhang Cong On Dec 21, 2007 2:24 AM, Bruce Keats <[EMAIL PROTECTED]> wrote: > Hi, > > I have an TLS/SSL client I wrote using openssl and I was wondering if I have > to do anything special to verify if a certificate was revoked in one of the > CRLs taken from one of the CDPs? Is there special code or calls I need to > make in the verify_callback() that is installed by SSL_CTX_set_verify()? Is > this handled automatically by openssl? If so then how long is the CRL > cached? > > This may seem like a simple question, but I have been unable to find the > code that actually does this. I found the CRL_DIST_POINTS type in > crypto/x509v3/x509.h, but I don't seem to be able to find any code that > looks like it is talking to the CDP to get the CRLs using this > CRL_DIST_POINTS. > > I am using 0.9.8g. > > Thanks, > Bruce ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
