Hello, I've been trying to find any usuable and complete documentation about CRL checking and several other things, but I failed, so I'm asking here. I want to do this:
1] I already have a program which connects/accepts SSL connections, and verifies the other peer's certificate against CA certificate. 2] I want it to reject the certificates which are present in a certificate revocation list (possibly multiple revocation lists), which is supplied in some file. It would be best if the file was loaded on program startup/initialization, so there was no need to do any I/O at runtime. (because my program can possibly do a chroot().) I'm asking for what's the best and usual way to do this - all documentation I found about CRL-handling functions is in form of man-like reference (which doesn't help much, as I'm a newbie here), or in the form of source code (which is hard to read, because it does a million other things I don't need). Could anyone point out any tutorial which explains this, or, at least, shows correct functions to do this? 3] I would like to check the incoming client certificate against multiple certificate authorities. I know this is possible with SSL_load_verify_locations using the indexed-directory loading, but, as I understood, it loads and examines the CA's on-demand (which is impossible when my program is chrooted.) Is there a possibility to load multiple CA's into memory? 4] I use SSL_VERIFY_FAIL_IF_NO_PEER_CERT, which, suprisingly to me, doesn't verify certificate in Client mode. I suppose the Client mode is set when the SSL is connected using SSL_connect(), so my clients don't check for server certificate presence. Is there a method to force the certificate check even in the Client mode? and maybe a summary: 5] Generally I guess that all my problems fall into "write your own verify_callback" category. If I'm right, I can do 4] myself, but sadly have really no idea how to store the CA's and CRL's in memory. I hope someone here can point out any resources that would help me, or just tell me what functions/method of certificate storing/verifying to use. Thanks in advance, Mirek Kratochvil PS., if it helps, the program I'm talking about is here: http://exa.czweb.org/?view=cloudvpn ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
