Ahh, that explains it. Thanks for looking into it. My code only uses a store for verification. It is Perl glue developed in-house. Perhaps we would be willing to donate it to contrib. It is a more complete set of bindings to libcrypto than other modules on CPAN.
The documentation on iCRLs was a little cryptic to me. It said that no lookup methods were used (?). Now you say the store is also not used. How do I get the iCRL into the verification process? Also, does the current 1.0.0 icrl code enforce the "same trust-anchor" method of tying iCRL issuer to the CA it is revoking for? I'd be happy to help continue testing indirect CRLs, as they are a feature we would like. We have root and first-level intermediate CA's on smartcards "offline" (in a safe) because they are infrequently used. We would like to have a single indirect CRL issuer (issued by root) so we can require full chain CRL checking AND enforce timely updates to the CRL's while keeping our infrequently used private keys out of normal circulation. Also, I can confirm that name-constraints are working beautifully. Adam Rosenstein Red Condor -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, October 29, 2009 3:42 PM To: openssl-users@openssl.org Subject: Re: your mail On Mon, Oct 26, 2009, Adam Rosenstein wrote: > You are correct, I made a paste error in the mail. The certs were correct > at the time I tested however (my test script just regenerates things each > time and I pasted an old ee with a new root ca). > > I just tried openssl-SNAP-20091026.tar.gz and still get Different CRL Scope. > Here is the EE, ROOT CA, Indirect CRL signer, and Indirect CRL in a P7. > Hmm... I now get the message "certificate revoked" when I verify that chain. That is using a (not yet committed) change to the verify utility to input CRLs to the verification context. Due to a limitation in the current CRL lookup code indirect CRLs don't work when placed in a store. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
