Hi, when I saw that with mod_ssl there the crl check did not work on
multiple CRLs of the same issuer, I tried to to the "openssl verify" command specified in my first email, using N file, one for each CRL, with N sym link, or one file (concatenating all CRLs in one file) with one sym link, but the result is the same: it seems that only the first valid CRL for that issuer is checked, the others are ignored. Maybe I wrong....I've looked into the mod_ssl source code, and it seems to use openssl function to verify revoked certificate, and use openssl lookup function to get the CRL of the certificate issuer. Do you have a method to suggest me to check multiple CRLs or any sample that can help me? thanks in advance for reply M.M. > Date: Tue, 15 Jun 2010 13:01:49 +0200 > From: [email protected] > To: [email protected] > Subject: Re: openssl 1.0.0, multiple crls same issuer - revoked cert > > On Tue, Jun 15, 2010, matteo mattau wrote: > > > > > Hi, > > > > since there is no IDP extention into CRLs, please how I can do to > > > > check all the CRLs? > > > > I'm using apache + mod_ssl (and so openssl) to verify client authentication. > > > > Please could you help me telling how I can modify > > > > the call to "SSL_X509_STORE_lookup" to loop on all ".rN" > > > > sym link files and not stop to ".r0" ? > > > > Ah you didn't tell me you were using mod_ssl. The CRL logic in mod_ssl > does not use OpenSSLs CRL checking code. You'd have to modify mod_ssl not > OpenSSL. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [email protected] > Automated List Manager [email protected] _________________________________________________________________ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969
