On Wed, Jan 28, 2009, PS wrote: > Hi All, > I was under the impression that openssl allows loading multiple CRLs for the > same issuer. But, this does not seem to be the case as is proved by using > "openssl verify". > > $ ls -l ./ca/ > total 24 > lrwxrwxrwx 1 pshah users 10 Jan 28 21:56 ba4bb3b6.0 -> > cacert.pem -----> the CA cert > lrwxrwxrwx 1 pshah users 14 Jan 28 21:56 ba4bb3b6.r0 -> > revoked_48.pem ----> revokes only cert48.pem > lrwxrwxrwx 1 pshah users 14 Jan 28 21:56 ba4bb3b6.r1 -> > revoked_49.pem -----> revokes only cert49.pem > -rw-r--r-- 1 pshah users 1233 Jan 28 17:09 cacert.pem > -rw-r--r-- 1 pshah users 560 Jan 28 17:10 revoked_48.pem > -rw-r--r-- 1 pshah users 560 Jan 28 17:10 revoked_49.pem > > $ openssl verify -CApath ./ca/ -crl_check -verbose cert49.pem > cert49.pem: OK > > $ openssl verify -CApath ./ca/ -crl_check -verbose cert48.pem > cert48.pem: /C=--/ST=California/L=San Francisco/O=Riverbed Technology, > Inc./OU=Steelhead/CN=hw1-sh18/emailaddress=fakeem...@example.com > error 23 at 0 depth lookup:certificate revoked > 29615:error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert > already in hash table:x509_lu.c:418: > > So, as seen above, the second CRL is not loaded (and I have confirmed this > with gdb.). >
OpenSSL 0.9.9-dev has additional CRL support not found in 0.9.8. It includes support for loading multiple CRLs with the same issuer name. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
