>I am testing with revoking certificates.
>
>My PKI has a root and 2 intermediates, which then sign server and
client certificates
>My test environment consists of a s_client and a s_server referencing
the corresponding files and a verifydir with c_rehased files.
>TLS connections work fine from s_client to s_server, chain is exposed
and recognized properly.
>
>I successfully revoked server-certificates with the intermediate ca crl.
>When trying to connect using the s_client "-crl_check" arg the
"certificate revoked" notification shows up correctly.
>
>I also successfully created a crl with the root ca, that revokes one
of the intermediates.
>The serialnumber of the revoked intermediate is shown correctly in the
crl and the crl is c_rehashed in the verify dir of the client.
>But no matter what i try, the s_client does NOT show the "certificate
revoked" when I connect to the corresponding s_server using the
certificate signed by the revoked intermediate.
>
>Any ideas what i could be doing wrong?
>
>I am on version OpenSSL 1.0.1f 6 Jan 2014
Thanks for the answers and the time spend.
Sorry, did not mean to trigger a debate of principles :-)
In further tracking down the cause i was trying to use "openssl verify"
commands.
When I issue the "openssl verify -CApath verifydir -crl_check
revokedIntermediate.crt" the intermediate cert is correctly shown as
revoked, so the content of the verifydir is fine I think.
Somehow s_client does not recognize that, when connecting to the
corresponding s_server.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
