Hi, I am using openssl 0.9.8b on CentOS 5.2 and I see some behaviour that I cannot understand. I am using the SSL_CTX_set_verify(SSL_VERIFY_PEER) on both the client and server. The certificate chain has a root with multiple levels then the end entity certs. If the CRL has expired for the CA that issued then end entity certs then the verify() callback is called with preverify_ok=0. I expect this.
If I now replace the root CRL with one that has expired, verify() callback is called with preverify_ok=1. This seems inconsistent. Is this expected? Is there something I need to do to get openssl to check the root CRL? Thanks, Bruce
