On Fri, Feb 15, 2008, Anri Lau wrote: > Hello guys, > > I setting the CRL path for SSL by SSL_context, but it is not useful. > > In manual page SSL_connection and SSL_accept are used to inited a handshake > and SSL_do_handshake() perform a handshake > > SSL_do_handshake should be called explicitly after SSL_accept/SSL_connection > is called? > > does SSL_connection/SSL_accept do the work of validate the certificate of > client or server! >
You need to enable either X509_V_FLAG_CRL_CHECK to expect a CRL for just the EE cert or that and X509_V_FLAG_CRL_CHECK_ALL for the whole chain in the verification flags. Once those flags are set a CRL must be supplied for the relevant certificates. The flags can be set in a number of places, probably the easiest is in the X509_STORE retrieved from the SSL_CTX. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
