Re: Do I need to do anything special to get certificate validation to use a CDP?

[Cong Zhang]

I remember that most CDPs are HTTP URL, LDAP URL, a UNC string, etc. I
did not checked the standard for all supported formats, but HTTP URL
is the most common. So you may use any tools supports HTTP to retrieve
them, such as wget or curl.

For example, in my browser there is an CA certificate issued by Comodo
CA Limited, with CN "AAA Certificate Services", the CDP is the
following 2 URLs:
              URI:http://crl.comodoca.com/AAACertificateServices.crl
              URI:http://crl.comodo.net/AAACertificateServices.crl

You can use curl or wget to get them. However, I don't think OpenSSL
has API to do this job.

Zhang Cong

On Dec 24, 2007 9:55 PM, Bruce Keats <[EMAIL PROTECTED]> wrote:
> Thank you.  Is there a function within the API that can do the CRL
> extraction from the CDP(s)?
>
> Bruce
>
>
>
> On Dec 22, 2007 4:32 AM, Cong Zhang <[EMAIL PROTECTED]> wrote:
>
> >
> >
> >
> > Hi,
> >
> > AFAIK, OpenSSL has no code to retrieve the CRL from CRL distribution
> > points. The CRL retrieve and update should be done by yourself.
> > However, by putting a PEM encoded CRL to CApath will make OpenSSL load
> > this CRL correctly.
> >
> > To use CRL, you may retrieve and check CRL at verify_callback, or use
> > an out-of-band manner to retrieve CRL at intervals and put it to
> > CApath.
> >
> > Thanks,
> > Zhang Cong
> >
> >
> >
> >
> > On Dec 21, 2007 2:24 AM, Bruce Keats <[EMAIL PROTECTED]> wrote:
> > > Hi,
> > >
> > > I have an TLS/SSL client I wrote using openssl and I was wondering if I
> have
> > > to do anything special to verify if a certificate was revoked in one of
> the
> > > CRLs taken from one of the CDPs?  Is there special code or calls I need
> to
> > > make in the verify_callback() that is installed by SSL_CTX_set_verify()?
> Is
> > > this handled automatically by openssl?  If so then how long is the CRL
> > > cached?
> > >
> > > This may seem like a simple question, but I have been unable to find the
> > > code that actually does this.  I found the CRL_DIST_POINTS type in
> > > crypto/x509v3/x509.h, but I don't seem to be able to find any code that
> > > looks like it is talking to the CDP to get the CRLs using this
> > > CRL_DIST_POINTS.
> > >
> > > I am using 0.9.8g.
> > >
> > > Thanks,
> > > Bruce
> > ______________________________________________________________________
> > OpenSSL Project                                 http://www.openssl.org
> > User Support Mailing List                    openssl-users@openssl.org
> > Automated List Manager                           [EMAIL PROTECTED]
> >
>
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]