Hi, I am implementing CRL feature for my application and was doing a proof of concept using openSSL. Here is what I did:
1. I used openssl commands to generate a v3 root CA certificate and also the corresponding server certificate. 2. Now i revoked the server certificate using openssl commands. 3. First I tested this with the openSSL s_client and s_server. I understood from googling, that I need to use the -crl-check option in the s_client side to do the CRL validation and as instructed in the reference manual, I concatenated my CA certificate as well as the CRL into a single PEM file and passed it to openssl client in the -CAFile field. 4. Things went as expected and I got the error code for CRL validation failure. 5. Next step, I wanted to do the same for my sample SSL client and server. 6. Here, from my client side, I loaded the concatenated cert + crl into combined.pem and loaded it using 7. SSL_CTX_load_verify_locations(ctx,combined.pem,NULL). While doing the SSL connection, I found that the CRL _was not_ checked. (I understand now that this is NOT the API to set the CRL into verification paths) 8. Later, from further reading I understood that CRL check is not done by default and I need to add the CRL to the verification paths using X509 level APIs. ( http://stackoverflow.com/questions/4389954/does-openssl-automatically-handle-crls-certificate-revocation-lists-now ) >> X509_STORE *store = getStore(); // Enable CRL checking X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); X509_STORE_set1_param(store, param); X509_VERIFY_PARAM_free(param); >> I am going to try this out now, but before that , wanted to check with the community: - If the way I am proceeding is correct? - Are there any other simpler ways to do this? - What would be best approach to follow for CRL checking enabling? - Are there any SSL_CTX level APIs for this now? I am using openssl version openssl-0.9.8r(Also wanted to know if this behaviour has changed in higher versions of openssl) Thanks in advance! Regds, Ashok
