On 10/03/2016 20:11, mich...@secure-mail.biz wrote:
Hey openssl users,
I am testing with revoking certificates.
My PKI has a root and 2 intermediates, which then sign server and
client certificates
My test environment consists of a s_client and a s_server referencing
the corresponding files and a verifydir with c_rehased files.
TLS connections work fine from s_client to s_server, chain is exposed
and recognized properly.
I successfully revoked server-certificates with the intermediate ca crl.
When trying to connect using the s_client "-crl_check" arg the
"certificate revoked" notification shows up correctly.
I also successfully created a crl with the root ca, that revokes one
of the intermediates.
The serialnumber of the revoked intermediate is shown correctly in the
crl and the crl is c_rehashed in the verify dir of the client.
But no matter what i try, the s_client does NOT show the "certificate
revoked" when I connect to the corresponding s_server using the
certificate signed by the revoked intermediate.
Any ideas what i could be doing wrong?
Make sure the intermediary is not included in the "CA storage"
(hashed or single file) used by the client. Anything in that
storage is considered valid and not checked for revocation or
validity.
I am on version OpenSSL 1.0.1f 6 Jan 2014
That's a bit old.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
