Hi, I've done some googling and failed to come up with an answer... I have openssl 1.0.0-25 (also seeing it as 1.0.0-fips) installed on a test server running CentOS 6.3 (2.6.32-279.14.1.el6.x86_64). It is the latest one avaialble from the CentOS repositories.
I've downloaded and set up several Certificate Authorities as trusted certs and their accompanying CRLs. I've created the hash links for the CRLs and CAs as well. When I run a test on some test certificates I received, they all come back OK, even though some are expired and some are revoked. I've run the following verify command and expected different results to flag TestOne as valid, TestThirtySeven as Revoked and TestForty as expired. I also tried crl_check_all and purpose flags, with no different results. [root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose TestOne_Valid.pem TestOne_Valid.pem: OK [root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose TestForty_Expired.pem TestForty_Expired.pem: OK [root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose TestThirtySeven_Revoked.pem TestThirtySeven_Revoked.pem: OK [root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose -purpose sslclient TestOne_Valid.pem TestOne_Valid.pem: OK [root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose -purpose sslclient TestForty_Expired.pem TestForty_Expired.pem: OK [root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose -purpose sslclient TestThirtySeven_Revoked.pem TestThirtySeven_Revoked.pem: OK [root@dmapsdev01 TestCerts]# Similarly, when I run from a browser, with tomcat configured for CRL checking (using APR & tcnative), tomcat lets the expired and revoked certificates pass. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
