On Mon, Oct 26, 2009, Adam Rosenstein wrote: > You are correct, I made a paste error in the mail. The certs were correct > at the time I tested however (my test script just regenerates things each > time and I pasted an old ee with a new root ca). > > I just tried openssl-SNAP-20091026.tar.gz and still get Different CRL Scope. > Here is the EE, ROOT CA, Indirect CRL signer, and Indirect CRL in a P7. >
Hmm... I now get the message "certificate revoked" when I verify that chain. That is using a (not yet committed) change to the verify utility to input CRLs to the verification context. Due to a limitation in the current CRL lookup code indirect CRLs don't work when placed in a store. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
