You are correct, I made a paste error in the mail. The certs were correct at the time I tested however (my test script just regenerates things each time and I pasted an old ee with a new root ca).
I just tried openssl-SNAP-20091026.tar.gz and still get Different CRL Scope. Here is the EE, ROOT CA, Indirect CRL signer, and Indirect CRL in a P7. -----BEGIN PKCS7----- MIIHfgYJKoZIhvcNAQcCoIIHbzCCB2sCAQExADALBgkqhkiG9w0BBwGgggW5MIIC NzCCAeGgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAxMRMwEQYDVQQKEwpSZWQgQ29u ZG9yMQwwCgYDVQQLEwNQS0kxDDAKBgNVBAMTA0NBMDAeFw0wOTEwMTYyMDI4MDVa Fw0xMDEwMjYyMDI4MDVaMDwxEzARBgNVBAoTClJlZCBDb25kb3IxDDAKBgNVBAsT A1BLSTEXMBUGA1UEAxMOQWRhbVJvc2Vuc3RlaW4wXDANBgkqhkiG9w0BAQEFAANL ADBIAkEAxOqxSY6OYvLnSoA5dPAbWsApx6N6cBn6qYeFeNovkr+JnoBaPuSMDSAN fkmwktZCcumfX6czyV6qQjKlB1e0CwIDAQABo4HYMIHVMAwGA1UdEwEB/wQCMAAw HQYDVR0OBBYEFERl5bIuRASGgLLjYaIMI5DNfO/lMB8GA1UdIwQYMBaAFCRhPk/D NEBzZOufd0Bguya9GhSiMA4GA1UdDwEB/wQEAwIFoDB1BgNVHR8EbjBsMGqgLaAr hilodHRwOi8vcGtpLnJlZGNvbmRvci5uZXQvQ0EwLWluZGlyZWN0LmNybKI5pDcw NTETMBEGA1UEChMKUmVkIENvbmRvcjEMMAoGA1UECxMDUEtJMRAwDgYDVQQDEwdD QTBpQ1JMMA0GCSqGSIb3DQEBBQUAA0EAsteORZ/QTZv3RVhxDkmY1p3dH7DB6ZMm sXzkhA+GN3v4GXdb7EhNSTAQ+EuRhZhQBRDKE3Y63pF6CsrU93rP8jCCAb0wggFn oAMCAQICAQIwDQYJKoZIhvcNAQEFBQAwMTETMBEGA1UEChMKUmVkIENvbmRvcjEM MAoGA1UECxMDUEtJMQwwCgYDVQQDEwNDQTAwHhcNMDkxMDE2MjAyODA0WhcNMTAx MDI2MjAyODA0WjA1MRMwEQYDVQQKEwpSZWQgQ29uZG9yMQwwCgYDVQQLEwNQS0kx EDAOBgNVBAMTB0NBMGlDUkwwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAo3ObrwsI K1KcZ0KwAFbQAmSJ3DWwc9nRGhFUmakGY84fCs3viULbGdsNkSfa3oXBw88W+Ppd IrD8hsi9ZcZmFwIDAQABo2YwZDASBgNVHRMBAf8ECDAGAQH/AgEIMB0GA1UdDgQW BBQQqbRAIlIdYffeBpkKUh2R50rfVTAfBgNVHSMEGDAWgBQkYT5PwzRAc2Trn3dA YLsmvRoUojAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADQQA7DJqmDpWh 7MNQuZ/TLSa7clVmgkJQCbuJrGQ59zWA+QTaeQ886RECSGybXV+rQ94jsbgQIa0b KXRsJSDaNiihMIIBuTCCAWOgAwIBAgIBATANBgkqhkiG9w0BAQUFADAxMRMwEQYD VQQKEwpSZWQgQ29uZG9yMQwwCgYDVQQLEwNQS0kxDDAKBgNVBAMTA0NBMDAeFw0w OTEwMTYyMDI4MDRaFw0xMDEwMjYyMDI4MDRaMDExEzARBgNVBAoTClJlZCBDb25k b3IxDDAKBgNVBAsTA1BLSTEMMAoGA1UEAxMDQ0EwMFwwDQYJKoZIhvcNAQEBBQAD SwAwSAJBALoQF/Jo7vqH0+fNc2vBstWDBYay+EEaGPWJAIsn2F1C86JXFWOjRdu+ Fxz7JV5suaMpXcR8j/22LBOHYoxKXgUCAwEAAaNmMGQwEgYDVR0TAQH/BAgwBgEB /wIBCDAdBgNVHQ4EFgQUJGE+T8M0QHNk6593QGC7Jr0aFKIwHwYDVR0jBBgwFoAU JGE+T8M0QHNk6593QGC7Jr0aFKIwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEB BQUAA0EACWYfa92zpMJcXwvD09fcn3CA6umXjVqbEDdbkjASWYRgo2dHMyV6NGoo xHpXt/5zgnMyyhuqpzr9K6XY2XQTYqGCAZYwggGSMIIBPAIBATANBgkqhkiG9w0B AQUFADA1MRMwEQYDVQQKEwpSZWQgQ29uZG9yMQwwCgYDVQQLEwNQS0kxEDAOBgNV BAMTB0NBMGlDUkwXDTA5MTAyNTIwMjgwNloXDTEwMDgyMjIwMjgwNlowWTBXAgED Fw0wOTEwMjYyMDI4MDZaMEMwQQYDVR0dAQH/BDcwNaQzMDExEzARBgNVBAoTClJl ZCBDb25kb3IxDDAKBgNVBAsTA1BLSTEMMAoGA1UEAxMDQ0EwoHgwdjBHBgNVHRwB Af8EPTA7oC2gK4YpaHR0cDovL3BraS5yZWRjb25kb3IubmV0L0NBMC1pbmRpcmVj dC5jcmyBAQCCAQCEAf+FAQAwHwYDVR0jBBgwFoAUEKm0QCJSHWH33gaZClIdkedK 31UwCgYDVR0UBAMCAQowDQYJKoZIhvcNAQEFBQADQQBRIY2yeJ+519ZH/nfzLsq3 rSmKMW43QSRSdKV93K4qPtuWhVcc/3Z9jKkO/p9WD9pVA1RALWc8XyLEGvbRPyA2 MQA= -----END PKCS7----- -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Friday, October 23, 2009 5:09 PM To: openssl-users@openssl.org Subject: Re: your mail On Fri, Oct 23, 2009, Dr. Stephen Henson wrote: > On Wed, Oct 21, 2009, Adam Rosenstein wrote: > > > I'm using v1.0.0 Beta 3. > > > > > > Hmm... there seems to be an SKID/AKID issue here: > There is also a bug in the verification code which means it was expecting to find a CRL for the CRL signing certificate too even if not configured to check the whole chain. Please try the next snapshot. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
