> From: owner-openssl-us...@openssl.org On Behalf Of nvharisha > Sent: Tuesday, October 01, 2013 05:56
> I would like to understand how exactly CRL is used. > > Means, lets say, we try to login using gmail.com in any browser. Now we see > certificates - We see Google Inc is the 1st level and it has a CRL which is > pointing to one URL. > > I tried to enable wireshark and see if there is any communication, but in > vain. > I wanted to know how CRL will be handled? > It (actually accounts.google.com) has cert with CRL Distribution Point extension and also Authority Info Access extension containing OCSP. The two browsers I have handy (Firefox 24, and IE 9 (on Vista)) both use OCSP; the former does about 6 requests and the latter about a dozen. Generally a clever client will prefer OCSP to CRL given a choice, because it is very likely to be more timely and likely to be cheaper to get and process. > The reason I am asking is: > We have a device which has Qt / webkit based browser on Linux. Now if I > want > enable OpenSSL, as a first and easiest step, compiled qt with "openSSL" > libraries. > OpenSSL's current support for revocation is spotty. It will use an applicable CRL that you already have in your truststore, and I think even multiple ones, but does not locate and fetch the needed one(s). It has functions to create OCSP requests and parse the responses, but does not use them to do OCSP for the cert(s) in a chain it is validating. I've seen hints that changes in this area are in development, but at the moment if you need it I see no alternative to coding it yourself. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
