>From: owner-openssl-...@openssl.org On Behalf Of Thirumal, Karthikeyan >Sent: Monday, 17 December, 2012 13:12
I don't believe this belongs on -dev or -cvs. >We added the OpenSSL to our TCP Windows application, for Client - >Server communication. >Looks like few machines are not able to access the application, >and below is the error. >The revocation function was unable to check revocation for the certificate. > >The revocation function was unable to check revocation because the >revocation server was offline. This error message does not occur anywhere in OpenSSL; is it in your application or maybe some middleware or extension added to OpenSSL? (Auto-fetching a CRL, or trying to, is a reasonable thing to add.) >Looks like they are stuck with CRL and they may be restricted without >Admin access and not able to download the CRL certs. I've never seen Windows require Admin for network communication. It can need firewall settings for particular communications (sources and destinations) and usually does since Vista at least. You might check if that's the problem and can be fixed; if so, enabling your normal CRL functionality -- which you imply works on other machines -- is likely easier than any other way and certainly is more consistent. >But we tried to install few CRL certs on his machine, >Certs installed : http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl and >http://crl.verisign.com/pca3-g5.crl. But still that did not work out. CRLs are NOT certs. They are both issued by a CA (more or less) and signed, but they are not the same thing. >Can someone shed some lights on this issue on installing which certs >could resolve this issue ? In what way did it "not work out"? Is your app using OpenSSL's default CRL lookup, in a directory commonly called something like CApath with filenames in the form issuerhash.r0 .r1 etc, or something else? If the former did you install these CRLs that way? Do the certs you want verified match the CRL issuer(s) the CRLs you installed? I presume your app or middleware is already setting verifyparam F_CRL_CHECK (or _ALL) somewhere, and/or you or middleware put this into a verify callback, as by default OpenSSL doesn't check CRLs. >P.S., I cannot bypass the CRL download as it is a security flaw. I hope you mean you cannot bypass the CRL *check*. The way a CRL is obtained, by direct download or other distribution, does not matter to security, as long you end up checking the correct current CRL. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
