On Thu, 2010-02-04 at 15:59 -0500, Adam Grossman wrote: > On Thu, 2010-02-04 at 20:17 +0100, Dr. Stephen Henson wrote: > > On Thu, Feb 04, 2010, Adam Grossman wrote: > > > > > On Thu, 2010-02-04 at 18:09 +0100, Dr. Stephen Henson wrote: > > > > On Thu, Feb 04, 2010, Adam Grossman wrote: > > > > > > > > > hello once again, > > > > > > > > > > i am trying to get CRLs working for client certs. i have read about a > > > > > million different ways of doing this, but this is how i am doing it: > > > > > > > > > > X509_CRL *x509_c; > > > > > X509_STORE *store = SSL_CTX_get_cert_store(ctx); > > > > > X509_LOOKUP* lu = X509_STORE_add_lookup(store, X509_LOOKUP_file()); > > > > > > > > > > X509_load_cert_crl_file(lu,<file name>,X509_FILETYPE_PEM); > > > > > X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | > > > > > X509_V_FLAG_CRL_CHECK_ALL); > > > > > > > > > > and when the server recieves the peer cert, i do: > > > > > > > > > > peer = SSL_get_peer_certificate(ssl); > > > > > SSL_get_verify_result(ssl); > > > > > > > > > > but certs in the CRL are being verified. what am i doing wrong? > > > > > > > > > > just as a warning, once this is setup, i have a few more follow > > > > > questions. > > > > > > > > > > > > > What happens if you don't include the CRLs? You should get an error > > > > about it > > > > being unable to lookup the CRL. > > > > > > > > Can you get this to work with s_server? > > > > > > > > Steve. > > > > > > if i do not include the CRLs, a get this error from the browser (Error > > > code: ssl_error_unknown_ca_alert). > > > > > > i need this to work if there is no CRL for the CA, to let it through, > > > and if there is, look it up. i do not even have a problem doing it by > > > hand (verifying the serial # of the peer cert against known ones in the > > > CRL lists), but i could not find a way to pull the serial numbers out of > > > the CRLs. > > > > > > i am not sure what i am looking for in s_server. i ran it, it printed > > > out the HTTP request, and nothing else. it did give a "bad > > > gethostbyaddr", but i do not know if that has anything to with it. > > > > > > > Include the -crl_check and -crl_check_all arguments to s_server. You can > > also > > include the -www option which causes it to send a status page back to the > > browser. Any CRLs can be included in the -CAfile file. > > > > Steve. > > It's kind of hard to do this for this server. The cert is requested > after the 2nd handshake, so unless i am attaching to my server, it's > very hard to use the s_server. i am also trying this from the O'Reilly > openssl book. and for what i need to do, i would prefer to go this > route: > > after the handshake is complete; > > peer=SSL_get_peer_certificate(ssl); > > store=X509_STORE_new(); > r=X509_STORE_load_locations(store,NULL,CA_cert_path); > > r=X509_STORE_set_default_paths(store); > > > lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file()); > > r=X509_load_crl_file(lookup, <CRL File>,X509_FILETYPE_PEM); > > X509_STORE_set_flags(store,X509_V_FLAG_CRL_CHECK | > X509_V_FLAG_CRL_CHECK_ALL); > > verify_ctx = X509_STORE_CTX_new(); > r=X509_STORE_CTX_init(verify_ctx,store,peer,NULL); > r=X509_verify_cert(verify_ctx); > > and the verify always fails, even when i have a client cert from the > same CA as the CRL, but is not in the revoked list. > > thank you so much, > -=- adam grossman
(please ignore my stupidity, it was a permission problem on the CA cert file.... sorry...) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
