Thank you. Is there a function within the API that can do the CRL extraction from the CDP(s)?
Bruce On Dec 22, 2007 4:32 AM, Cong Zhang <[EMAIL PROTECTED]> wrote: > Hi, > > AFAIK, OpenSSL has no code to retrieve the CRL from CRL distribution > points. The CRL retrieve and update should be done by yourself. > However, by putting a PEM encoded CRL to CApath will make OpenSSL load > this CRL correctly. > > To use CRL, you may retrieve and check CRL at verify_callback, or use > an out-of-band manner to retrieve CRL at intervals and put it to > CApath. > > Thanks, > Zhang Cong > > On Dec 21, 2007 2:24 AM, Bruce Keats <[EMAIL PROTECTED]> wrote: > > Hi, > > > > I have an TLS/SSL client I wrote using openssl and I was wondering if I > have > > to do anything special to verify if a certificate was revoked in one of > the > > CRLs taken from one of the CDPs? Is there special code or calls I need > to > > make in the verify_callback() that is installed by SSL_CTX_set_verify()? > Is > > this handled automatically by openssl? If so then how long is the CRL > > cached? > > > > This may seem like a simple question, but I have been unable to find the > > code that actually does this. I found the CRL_DIST_POINTS type in > > crypto/x509v3/x509.h, but I don't seem to be able to find any code that > > looks like it is talking to the CDP to get the CRLs using this > > CRL_DIST_POINTS. > > > > I am using 0.9.8g. > > > > Thanks, > > Bruce > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] >
