This should happen if and only if the client cert is revoked.
If you don't give the server the CRL(s), and since openssl (so far) doesn't use OCSP itself (though it supports an app using it), the server doesn't know the client cert is revoked and it accepts the connection, which may be from an attacker such as a thief. If you do give the server the CRL(s) and enable checking, the server knows the client cert is revoked and rejects the connection. That's what revocation is for. Maybe it's confusing that the error code says "no cert returned" which is not exactly correct; something like "cert not acceptable" or "cert invalid" might be a little better. But it is what it is. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of ben Sent: Tuesday, January 14, 2014 20:25 To: openssl-users@openssl.org Subject: *** Spam *** How to use the CRL in ssl connection Hello everyone, I have a question about the crl in ssl server, I load the crl's file successed, but when one new connection come in, SSL_accept return NULL, whether the client cert is in crl's file.l certainly if I didn't load crl file, the ssl server is very ok. and the ssl_accept return the error msg: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned the code: int ret = SSL_CTX_load_verify_locations(ap_ctx, a_revokeCrl.c_str(), NULL); if ( ret == 0 ) { printf("SSL_CTX_load_verify_locations(crl) return 0."); } else { X509_STORE *pCaCertStore = SSL_CTX_get_cert_store(ap_ctx); X509_STORE_set_flags(pCaCertStore, X509_V_FLAG_CRL_CHECK); } openssl version:OpenSSL 0.9.8k This question was puzzled me two days, please superman help me, thank u very much! best regards!
