Unable to verify LDAP CRL

Hello, I am unable to validate an LDAP based CRL for any of my certificates. If I download the CRL from LDAP, decode it from base64, and then run it through OpenSSL, it works without issue. When I run an strace, it appears that openssl is looking for the certificate on the local filesystem, and

RE: RE: How to create indirect CRL using openssl ca command

> From: edr > Sent: Friday, 11 March, 2022 03:59 > > On 10.03.2022 20:27, Michael Wojcik wrote: > > Personally, I'd be leery of using openssl ca for anything other than > dev/test purposes, in which case frequent CRL generation seems unlikely to > be a requirement.

Aw: RE: How to create indirect CRL using openssl ca command

also CAs failed to generate the certs and CRLs correctly. :-/ >     That is a very good point you are making - thank you for this input. On 10.03.2022 20:27, Michael Wojcik wrote: > Personally, I'd be leery of using openssl ca for anything other than dev/test > purposes, in which ca

RE: How to create indirect CRL using openssl ca command

ally, I'd be leery of using openssl ca for anything other than dev/test purposes, in which case frequent CRL generation seems unlikely to be a requirement. AIUI, openssl ca isn't really intended for production use. > It's a pity that there is not something like an OpenSSL key age

Re: How to create indirect CRL using openssl ca command

On 3/10/22 14:06, edr dr wrote: I would like to be able to automate the process of updating CRLs in order to be able to keep the CRL validity time short. Understandable. At the same time, I do not want to store passwords used for certificate creation in cleartext anywhere. It's a pity

How to create indirect CRL using openssl ca command

Dear all, I am building a private PKI using the openssl "ca" functionality. My setup includes a root CA that issues intermediate certificates and intermediate CAs issuing endpoint certificates. I would like to be able to automate the process of updating CRLs in order to be able to ke

Re: OpenSSL API CRL Revoke Check: Coverage

Thanks for the clarification David. Your help is much appreciated. David von Oheimb , 31 Ağu 2021 Sal, 08:50 tarihinde şunu yazdı: > Hello Dennis, > > here are answers to your questions. > > >- All CRL signatures are (by default) verified - otherwise status >chec

Re: OpenSSL API CRL Revoke Check: Coverage

Hello Dennis, here are answers to your questions. * All CRL signatures are (by default) verified - otherwise status checking by CRLs would be insecure. The function used is def_crl_verify() in crypto/x509/x_crl.c * All CRLs are kept in the X509_STORE such that they can be reused for

OpenSSL API CRL Revoke Check: Coverage

Hello, I'm trying to use OpenSSL to validate a certificate chain with CRLs. To achieve this, I create a X509_STORE and add trusted (root) certificates into it via X509_STORE_add_cert(). I also add CRLs published by root and intermediate CAs into the store using X509_STORE_add_crl(). Then I create

Dynamic CRL not working when signed by intermediate CA

Hi, Dynamic CRL not working when signed by intermediate CA when ca-file (Trusted CA certs bundle) includes only the intermediate CA that signed the CRL. Causing to this the handshake is failing, is there a way to avoid in OpenSSL 1.0.2s-fips 28 May 2019? Br, Malli

Support of Indirect CRL and How to?

Hi everybody, I am trying to implement a complex PKI and some parts are based on a Indirect CRL issued by a specific certificate. I found that the "openssl verify" command works fine if I had the CRL issuer as "-untrusted" argument. But this check doesn't work if I on

Indirect CRL CLI and support

27;, 'referred', and 'referred_bad_indirect' are all client certificates while the others are CAs ('referrer' has a 'pathlen' of '0'). My goal is to revoke the 'referred_bad_indirect' certificate via the 'signing_ca' using an indirect

Issue about CRL verification

Hi team,I am trying to use CRL to check certificate revocation as following:1 Overrode the get_crl callback function in X509_STORE_CTX, to get the crl from the cache.2  Set flag X509_V_FlAG_CRL_CHECK, just want to check certificate of end entity. 3  During certificate verification, I can see the

Re: How to cleanup CRL memory used after SSL(OpenSSL) handshake has completed?

Good to know that. Regards, Kheemen > > On Mar 6, 2020 at 7:24 PM, mailto:m...@openssl.org)> wrote: > > > > The CTX needs to be there for the whole time that the SSL is. Matt On > 06/03/2020 11:17, Hyer Low wrote: > Noted. Renegotiation

Re: How to cleanup CRL memory used after SSL(OpenSSL) handshake has completed?

The CTX needs to be there for the whole time that the SSL is. Matt On 06/03/2020 11:17, Hyer Low wrote: > Noted. Renegotiation has been disable. > > Is there anyway to clean the CTX while let SSL object itself serving the > tunnel ? Or I can only depend on the CTX ref after the SSL is delete? >

Re: How to cleanup CRL memory used after SSL(OpenSSL) handshake has completed?

Noted. Renegotiation has been disable. Is there anyway to clean the CTX while let SSL object itself serving the tunnel ? Or I can only depend on the CTX ref after the SSL is delete? Regards, Hyer Low > > On Mar 6, 2020 at 7:00 PM, mailto:m.

Re: How to cleanup CRL memory used after SSL(OpenSSL) handshake has completed?

One other thing does occur: if you allow renegotiation then you might need access to the cert-store after the initial handshake has completed. Matt On 06/03/2020 10:57, Hyer Low wrote: > All configs can have different cert being setup as well, hence each CTX cert > store might also different and

Re: How to cleanup CRL memory used after SSL(OpenSSL) handshake has completed?

All configs can have different cert being setup as well, hence each CTX cert store might also different and not to be share. Thanks. I'll try and see any possible side effect. -- Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html

Re: How to cleanup CRL memory used after SSL(OpenSSL) handshake has completed?

On 06/03/2020 03:13, Hyer Low wrote: > I'm using *X509_load_cert_crl_file*(openssl) to load the CRL file into the > CTX and create SSL for ssl_accept handshake. For each SSL connection that > has CRL file(600KB) loaded used up 10 times memory more than SSL connection > that

How to cleanup CRL memory used after SSL(OpenSSL) handshake has completed?

I'm using *X509_load_cert_crl_file*(openssl) to load the CRL file into the CTX and create SSL for ssl_accept handshake. For each SSL connection that has CRL file(600KB) loaded used up 10 times memory more than SSL connection that doesn't load CRL. The system is having >300 ports tha

v3_crl_reason - getting acess to the various CRL reasons

I'd like to use the crl_reasons table in v3_enums.c as the single source of truth (as opposed to building this list into other tooling - because; as it skips the number 7 - is very easy to get wrong & some opensource tools do get it wrong). Now there is a i2s_ASN1_ENUMERATED_TABLE() -

Cannot find access to CRL flags in 1.1.x

Migrating code base from 1.0.2 to 1.1.1c and have one last issue I cannot find a solution for: if (crl->flags & EXFLAG_CRITICAL) X509_CRL structure is opaque and I cannot access the flags member, however I cannot find any API call to retrieve the flags value. Thanks for any help/guidance

Caching CRL/Cert verification

How do you cache the results of a CRL or Cert verification? When inspecting the code I see that check_cert() gets called for every certificate and the code re-verifies every used CRL on every certificate check. This is similarly done for Certificates where it is re-verified even if it is already

CRL issuer does not match CA subject

that subject line is /Subject: C = us, ST = ca, O = test, CN = intermediate CA/ I then create the CRL using: /openssl ca -config $INTRMDT_CONF //-gencrl -out $INTRMDT_CRL/ When I dump the CRL, though, the issuer is /Issuer: /C=us/ST=ca/O=test/CN=intermediate ca/ When I put my certificate through

Delta CRL and verify app -extended_crl flag

I started experimenting with delta CRLs and noticed that 'openssl verify' in OpenSSL distribution test suite uses -extended_crl flag with -use_deltas. The documentation is not clear if 'extended CRL features' also covers delta CRLs and if it is required for deltas to work.

Re: [openssl-users] Delay in converting CRL to binary data

* Please let me know if we have any update on this. This is a volunteer effort. :) My *GUESS* is that the CRL data isn’t sorted, and it’s doing a linear search. You should profile the code to find out where, exactly, all the time is being spent. -- openssl-users mailing list To

Re: [openssl-users] Delay in converting CRL to binary data

Hello, Please let me know if we have any update on this. With Regards, Prateep On Thu, Dec 13, 2018 at 2:26 PM Prateep Kumar wrote: > Hello, > > We are converting a *CRL* (Size *3.687 MB*) to binary data using > *X509_CRL_get_REVOKED()* and it is taking *167.977* seconds to proces

[openssl-users] Delay in converting CRL to binary data

Hello, We are converting a *CRL* (Size *3.687 MB*) to binary data using *X509_CRL_get_REVOKED()* and it is taking *167.977* seconds to process the same. Please let us know if this is an expected behavior or something should be done to improve the above observation. With Regards, Prateep

Re: [openssl-users] EDDSA crl creation woes

crl:    openssl ca -config $dir/openssl-$intermediate.cnf \ -gencrl -out $dir/crl/$crl Using configuration from /root/ca/intermediate/openssl-intermediate.cnf Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem: variable lookup failed for CA_default::default_md

Re: [openssl-users] EDDSA crl creation woes

s, I cannot have default_md line in my .cnf file, or at least for it > to = sha256.  And in those commands where I had to have -md sha256 with > ecdsa, I have to have -md null.  This is compared to those commands that > took -sha256 and now require nothing in the command line about the hash.

[openssl-users] EDDSA crl creation woes

those commands where I had to have -md sha256 with ecdsa, I have to have -md null.  This is compared to those commands that took -sha256 and now require nothing in the command line about the hash. So one to crl:    openssl ca -config $dir/openssl-$intermediate.cnf \ -gencrl -out $dir

[openssl-users] Revoke certificate and append to existing crl file

= BUF_strdup("00"); else row[DB_serial] = BN_bn2hex(bn); BN_free(bn); printf("Serial Number is: %s\n", row[DB_serial]); printf(" Now Updating CRL file with expired client certificates \n"); char *crl_file_path = "../root_mod.crl";

Re: [openssl-users] Example code to add several CRL distribution points

Thanks a lot Dave. That helped. Bye Dirk On 23.11.2017 18:04, Dave Coombs wrote: > Hi Dirk, > > First point: you are populating distpoint->name.relativename (which is a > union member) but setting the discriminator distpoint->type to 0, which > indicates to use fullname rather than relativenam

Re: [openssl-users] Example code to add several CRL distribution points

Hi Dirk, First point: you are populating distpoint->name.relativename (which is a union member) but setting the discriminator distpoint->type to 0, which indicates to use fullname rather than relativename. So your structure will not be interpreted correctly. In any case, I think you want to p

Re: [openssl-users] Example code to add several CRL distribution points

Thanks Dave, It seems that I do something wrong when filling the STACK_OF(DIST_POINT): X509_NAME_ENTRY *nameEntry = X509_NAME_ENTRY_new(); X509_NAME_ENTRY_set_data (nameEntry, V_ASN1_IA5STRING /*MBSTRING_ASC*/, (const unsigned char*) "http://example.com/";, 19); S

Re: [openssl-users] Example code to add several CRL distribution points

more than 1 CRL distribution point to a > certificate? > > The below works only for one URI: > > X509_EXTENSION *ext = X509V3_EXT_conf_nid (NULL, &v3ctx, > NID_crl_distribution_points, (char*) "URI:http://exmaple.com/crl";); > X509_add_ext (certificate, ext, -1);

[openssl-users] Example code to add several CRL distribution points

Hi, can anybody share example code to add more than 1 CRL distribution point to a certificate? The below works only for one URI: X509_EXTENSION *ext = X509V3_EXT_conf_nid (NULL, &v3ctx, NID_crl_distribution_points, (char*) "URI:http://exmaple.com/crl";); X509_add_ext (certif

Re: [openssl-users] CRL signature verification

➢ I was more talking about the parsing. Currently I have 40 LOC [1] to Look at X509_get1_ocsp which is in crypto/x509v3/v3_utl.c That’s in 1.0.2 and later ➢ > X509_CRL_verify. And yes, looking through to find the serial# is what you have to do. ➢ That's 1.1-specific, correct?

Re: [openssl-users] CRL signature verification

unavailable. I would like to do so; however, I can't figure out how to > validate the signature on a CRL (which would be a pretty obvious > failure). Alternatively, is there an obvious alternative thing that I > should be doing, rather than manually parsing the CRL? >

Re: [openssl-users] CRL signature verification

, blocking issues, DNS, etc., that make things a non-simple matter. ➢ - Currently I don't fall back to CRLs when the OCSP server is unavailable. I would like to do so; however, I can't figure out how to validate the signature on a CRL (which would be a pretty obvious

[openssl-users] CRL signature verification

in my own code. Did I miss something obvious? - Currently I don't fall back to CRLs when the OCSP server is unavailable. I would like to do so; however, I can't figure out how to validate the signature on a CRL (which would be a pretty obvious failure). Alternatively, is there

Re: [openssl-users] Making a CRL with an authority key identifier

*De:* openssl-users [mailto:openssl-users-boun...@openssl.org] *En >> nombre de *Ivan Rubinson >> *Enviado el:* jueves, 1 de junio de 2017 12:15 >> *Para:* openssl-users@openssl.org >> *Asunto:* [openssl-users] Making a CRL with an authority key identifier >> >> &g

Re: [openssl-users] Making a CRL with an authority key identifier

e 54 > > crl_extensions= crl_ext > > > > BR > > Juan Ángel > > > > *De:* openssl-users [mailto:openssl-users-boun...@openssl.org] *En nombre > de *Ivan Rubinson > *Enviado el:* jueves, 1 de junio de 2017 12:15 > *Para:* openssl-users@openssl.org > *Asunto:*

Re: [openssl-users] Making a CRL with an authority key identifier

Hi, Uncomment line 54 crl_extensions= crl_ext BR Juan Ángel De: openssl-users [mailto:openssl-users-boun...@openssl.org] En nombre de Ivan Rubinson Enviado el: jueves, 1 de junio de 2017 12:15 Para: openssl-users@openssl.org Asunto: [openssl-users] Making a CRL with an

[openssl-users] Making a CRL with an authority key identifier

Hello, My name is Ivan, and I'm trying to get OpenSSL to make a CRL with an authority key identifier. (a third party API expects it from the CRL) I make my own CA, use it to sign a certificate, and then generate the CRL. This is the configuration file: https://pastebin.com/yL4UBtGW

[openssl-users] CRL list with size more than 4MB

CRL files are larger than 4MB. When a client with certificate issued from them try to login the following error is generated: [Wed Apr 12 18:48:37.694046 2017] [ssl:info] [pid 9123] [client xxx:51018] AH02276: Certificate Verification: Error (3): unable to get certificate CRL Other

[openssl-users] Automatic download of CRL

I am using 1.0.2g. CRL checking works fine on my certificate when I download and save CRL in PEM format locally. I noticed that “openssl verify” has this option: -crl_download Attempt to download CRL information for this certificate. But it does not work for me. The CRL URL embedded

[openssl-users] CRL implementation caching

Hi, We have modified our codebase to have CRL verification on the incoming certificates. While doing a negative testing with load of certificates I find that the resident memory for the module. My query is when we have CRL verification enabled does openssl caches incoming certificates

Re: [openssl-users] Should I / How to remove expired certificates from CRL

On 09-02-17 10:58, PM Extra wrote: Should I remove expired certificates from CRL？ No. The date of the revocation, which can be found in the CRL, is still relevant for checking when older certificates were revoked, in case you ever need to check signatures on older messages. -- Wouter

Re: [openssl-users] Should I / How to remove expired certificates from CRL

If you remove expired certificates from the CRL, then CRL consumers have no way of knowing whether a certificate was revoked before it expired, and thus no way of knowing whether a timestamped signature made with the corresponding key is valid. This is a complex issue, because CRL bloat is a

Re: [openssl-users] Should I / How to remove expired certificates from CRL

On 09/02/2017 10:58, PM Extra wrote: Should I remove expired certificates from CRL？ If so, how to do this? Depends if any relying parties are checking old signatures "as of" some securely recorded date of receiving the signature. In that case, they will still need to be able to s

[openssl-users] Should I / How to remove expired certificates from CRL

Should I remove expired certificates from CRL?? If so, how to do this?-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] C++ : Extracting CRL from a PKCS12

equirements that I have are that I also need to extract a CRL >> from that PKCS12. I see that there is a CRLBag defined in the IETF >> RFC 7292 PKCS12 Standard (https://tools.ietf.org/html/rfc7292), so I >> know a CRL could exist inside a PKCS12. I can't seem to find any API >

Re: [openssl-users] C++ : Extracting CRL from a PKCS12

> > The new requirements that I have are that I also need to extract a CRL > from that PKCS12. I see that there is a CRLBag defined in the IETF > RFC 7292 PKCS12 Standard (https://tools.ietf.org/html/rfc7292), so I > know a CRL could exist inside a PKCS12. I can't seem to fin

[openssl-users] C++ : Extracting CRL from a PKCS12

CRL from that PKCS12. I see that there is a CRLBag defined in the IETF RFC 7292 PKCS12 Standard (https://tools.ietf.org/html/rfc7292), so I know a CRL could exist inside a PKCS12. I can't seem to find any API or C++ examples that extract a CRL from a PKSC12. Is there an API, example cod

[openssl-users] OpenSSL - unable to get certificate CRL

Hi, I hope you can help me to understand why OpenSSL doesn't act as expected when I try to verify a certificate chain. On my server the certificate files are stored in the following directory structure: /usr/local/ssl/certs -> certificate files /crl ->

Re: [openssl-users] openssl crl fails to parse a CRL file, which seems correct

t twice, my apologies) > > When I try to parse some of the CRLs at <http://crl.eid.belgium.be/>, I > sometimes get this error: > > wouter@gangtai:~$ openssl version > OpenSSL 1.0.2h 3 May 2016 > wouter@gangtai:~$ openssl crl -in eidc201203.crl -inform der -noout -t

[openssl-users] openssl crl fails to parse a CRL file, which seems correct

wouter@gangtai:~$ openssl crl -in eidc201203.crl -inform der -noout -text unable to load CRL 140694432685592:error:0D09E09B:asn1 encoding routines:X509_NAME_EX_D2I:too long:x_name.c:203: 140694432685592:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697

Re: [openssl-users] Custom lastUpdate in CRL

<mailto:jb-open...@wisemo.com>> wrote: On 09/09/2016 12:11, Rishi Pathak wrote: Hi, For a reason we require lastUpdate to be set to a date in the previous year, with nextUpdate a year from now in our CRL. Search on google led me to a pa

Re: [openssl-users] Custom lastUpdate in CRL

shi Pathak wrote: > >> Hi, >>For a reason we require lastUpdate to be set to a date in the >> previous year, with >> nextUpdate a year from now in our CRL. Search on google led me to a patch >> which >> allows use of startDate/endDate for CRL gen

Re: [openssl-users] Custom lastUpdate in CRL

On 09/09/2016 12:11, Rishi Pathak wrote: Hi, For a reason we require lastUpdate to be set to a date in the previous year, with nextUpdate a year from now in our CRL. Search on google led me to a patch which allows use of startDate/endDate for CRL generation as well apart from

[openssl-users] Custom lastUpdate in CRL

Hi, For a reason we require lastUpdate to be set to a date in the previous year, with nextUpdate a year from now in our CRL. Search on google led me to a patch which allows use of startDate/endDate for CRL generation as well apart from certificates. Seems like 1.0-1 does not have it. Any

[openssl-users] Help with CRL stuff

Hey guys! I have a quick question that I can't seem to find the answer to anywhere: I know how to add a "fullname" CRL distribution point extension, but how does one add nameRelativeToCRLIssuer? The RFC says that it's a 'choice' element in x509 CRL extensi

Re: [openssl-users] Something causing "Error 12"/Expired CRL during CRL processing

On Wed, Mar 09, 2016, o haya wrote: > > Question: What exactly is determines the ORDER in which the CRLs would be > selected? > > In other words, say there were two CRL files (the previous one and the > current one) but one hash (only .r0) pointing to the current CRL file.

Re: [openssl-users] Something causing "Error 12"/Expired CRL during CRL processing

Dr. Henson, It turns out that the app apparently makes copies of the old CRL files before downloading new ones, i.e., so there were multiple copies of CRL files for the same CA. They cleaned out the directory and left only one CA CRL and the ROOT CA CRL and then it worked. Question: What

Re: [openssl-users] Something causing "Error 12"/Expired CRL during CRL processing

the Apache, but I'm guessing that that they do do that. I'll confirm tomorrow. Based on what you said, and assuming we use individual files per CRL and with the hashes, and assuming that we just happen to have more than one CRL file that resulted in the same hash string, would that

Re: [openssl-users] Something causing "Error 12"/Expired CRL during CRL processing

On Tue, Mar 08, 2016, o haya wrote: > > Can you clarify what you mean by "multiple CRLs with the same hash"? Do you > mean a situation where we have several of the CRL files (for different CAs) > where the result of the "openssl hash" gives an identical number

Re: [openssl-users] Something causing "Error 12"/Expired CRL during CRL processing

s with the same hash"? Do you mean a situation where we have several of the CRL files (for different CAs) where the result of the "openssl hash" gives an identical number/string? I'm not on our production site yet, so I'll ask someone who is. I'm pretty sure that

Re: [openssl-users] Something causing "Error 12"/Expired CRL during CRL processing

the hashes for them using an app or script that we wrote. I think > that this essentially does something like: > > ln -s ca.crl `openssl crl -hash -noout -in ca.crl`.r0 > > However, when we did a test upgrade one of our production instances the > requests are failing and, in

[openssl-users] Something causing "Error 12"/Expired CRL during CRL processing

g like: ln -s ca.crl `openssl crl -hash -noout -in ca.crl`.r0 However, when we did a test upgrade one of our production instances the requests are failing and, in the error logs, we are seeing the following messages: [ssl.debug] [pid 4866] ssl_engine_kernel.c: [client 10.10.10.10-] Cer

Re: [openssl-users] Certificat & CRL verification chain by callback

ied to use X509_LOOKUP.get_by_subject() but I am only requested on certificats in the chain, not on CRL. Are you trying to provide your own store of trusted issuer certificates and CRLs and associated access methods for the OpenSSL verification routi

Re: [openssl-users] Certificat & CRL verification chain by callback

ed in PEM format into an > allocated char * Forget the PEM format detail, all the various formats are inter-convertible, that's not important. > I tried to use X509_LOOKUP.get_by_subject() but I am only requested on > certificats in the chain, not on CRL. Are you trying to pr

Re: [openssl-users] Certificat & CRL verification chain by callback

, not on CRL. I found the TOMCAT source sslutils.c that do the job on peer, but I didn't find such function in the openssl API outside peer. With such callback verifier, you can download certificats and CRLs from files, from directories, from LDAP, from HTTPS, as you want. Do you under

Re: [openssl-users] Certificat & CRL verification chain by callback

: is an instance of a class whatYouWant : is a method of that can find (certificat X509_LU_X509, CRL X509_LU_CRL) with the and eventually the this function would callback on until the root CA of and do the appropriates verifications on intermediate certificats and CRLs, and return 0 succes

Re: [openssl-users] Certificat & CRL verification chain by callback

> > : is a certificat in PEM format to verify > : is an instance of a class > whatYouWant : is a method of that can find (certificat > X509_LU_X509, CRL X509_LU_CRL) > with the and eventually the > > this function would callback on until the root CA of > an

[openssl-users] Certificat & CRL verification chain by callback

: is a method of that can find (certificat X509_LU_X509, CRL X509_LU_CRL) with the and eventually the this function would callback on until the root CA of and do the appropriates verifications on intermediate certificats and CRLs, and return 0 succes, other error. Is there any solution

Re: Can't get my CRL to work on my OpenSSL client

On Wed, Jul 30, 2014 at 5:54 PM, dave paxton wrote: > ... > They were thinking that the problem from the recent random number issue > is a real problem in older 32 bit systems. ... One suggestion is they > used a get milli command to fill the 64 bits. I thought that was > silly. So I thought I

Re: Can't get my CRL to work on my OpenSSL client

ltz wrote: > >> OK. So as far as you're aware, there's not a way to avoid the requirement of >> the combined root cert/CRL file when checking for revoked certificates? I >> would prefer to just have to deal with the CRL in PEM format, but the CRL >> file must alw

RE: Can't get my CRL to work on my OpenSSL client

Dr Henson- The first message in this thread had the relevant code, copied again below. I have tried a few tweaks on setting up for CRL checking, but this is what I have now: Reading the file in; I have edited out a lot of error checking, etc, but the CRL is read in successfully: X509_STORE

Re: Can't get my CRL to work on my OpenSSL client

On Wed, Jul 30, 2014, Jason Schultz wrote: > OK. So as far as you're aware, there's not a way to avoid the requirement of > the combined root cert/CRL file when checking for revoked certificates? I > would prefer to just have to deal with the CRL in PEM format, but the CRL &g

RE: Can't get my CRL to work on my OpenSSL client

Yes, but "as far as I'm aware" doesn't go very far into that part of the code. See what happens when other devs (in timezones closer to GMT) reply. -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz

RE: Can't get my CRL to work on my OpenSSL client

OK. So as far as you're aware, there's not a way to avoid the requirement of the combined root cert/CRL file when checking for revoked certificates? I would prefer to just have to deal with the CRL in PEM format, but the CRL file must always be the CRL appended to the root cert, as fa

RE: Can't get my CRL to work on my OpenSSL client

No, I was confused; when you said "append to the root cert" I thought you meant copying it into the local directory. You meant literally appending it to the cert. I suppose you could create a new file with a "similar" name... -- Principal Security Engineer Akamai Technologies, Cambridge MA IM:

RE: Can't get my CRL to work on my OpenSSL client

OK, maybe I'm confused. I can get the CRL to my client machine OK, that's not an issue. What I'm saying is, placing the CRLs into the local directory alone is not OK, revocation check will not work. In order for that to work, I need to append the CRL to the root certificate in /e

RE: Can't get my CRL to work on my OpenSSL client

No, I'm saying that putting the CRL's into the local directory is okay, and OpenSSL will parse them. How you get them there is your issue :) -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz

RE: Can't get my CRL to work on my OpenSSL client

. I am not concerned with getting updated CRLs, I just want to know how to properly check for revocation once I have a CRL in /etc/ssl/crls on the client. Can you give a brief high-level view of what I'd need to do this in my client without the file appending? Thanks! > From: rs...@akamai

RE: Can't get my CRL to work on my OpenSSL client

> However, I do have a question. Is there any way around this requirement? The > requirement of apending the  root certificate and  CRL files on the client  > machine in /etc/ssl/crls? It totally depends on the client program that you are using. So, which client? The validation code

RE: Can't get my CRL to work on my OpenSSL client

It appears this is resolved already, sort of. It appears the one thing I did not try after revoking the serverCA certificate with my root was to concatenate the new CRL to the root cert on the client machine. When I did that, my client got a certificate revoked error. However, I do have a

Can't get my CRL to work on my OpenSSL client

I'm having trouble figuring out how to get a CRL I created working. I'll start from the beginning, apologies for length. First, I created my own CA with OpenSSL (1.0.1h) on my server machine, consisting of 3 certificates: root -> serverCA -> serverI successfully opened con

Re: CRL & default_crl_days

8, PKI. From page 638: When a CA issues a CRL, it bundles up a blacklist of revoked certificates along with an issue date and a second date indicating when the next blacklist will become available. A relying party that doesn’t have a current CRL is expected to fetch the current one and

RE: CRL & default_crl_days

Hi Gregory, > -Original Message- > From: Gregory Sloop [snip] > So, I thought - why should I set the default_crl_days to some low > number. I assume that it [the CRL] can be replaced with a "new" CRL, > should we need one, long before the default_crl_days li

RE: CRL & default_crl_days

I don't claim any expertise in this area, but RFC 5280 5.1.2.5 seems pretty clear: 5.1.2.5 Next Update This field indicates the date by which the next CRL will be issued. The next CRL could be issued before the indicated date, but it will not be i

Re: CRL & default_crl_days

GS> So, I'm working with an EAP-TLS system running under freeradius. GS> I've setup things to use a CRL [not OSCP] to revoke certificates and GS> all works well. GS> However, the parameter default_crl_days=XXX puzzles me. GS> Through trial and error [mostly error]

Re: CRL & default_crl_days

GS> So, I'm working with an EAP-TLS system running under freeradius. GS> I've setup things to use a CRL [not OSCP] to revoke certificates and GS> all works well. GS> However, the parameter default_crl_days=XXX puzzles me. GS> Through trial and error [mostly error]

CRL & default_crl_days

So, I'm working with an EAP-TLS system running under freeradius. I've setup things to use a CRL [not OSCP] to revoke certificates and all works well. However, the parameter default_crl_days=XXX puzzles me. Through trial and error [mostly error] I know that if I don't regenerat

Re: Enabling s_server to use a local CRL file

In order to validate a client cert at all, with or without CRL(s), yes the server must request the client cert and s_server does that only if you specify -verify or -Verify. The client must also agree to provide the cert, which it might not; if it does not and you use -verify the handshake

Re: Enabling s_server to use a local CRL file

does not have to send one, with the -Verify option the client must supply a certificate or an error occurs. -crl_check, -crl_check_all Check the peer certificate has not been revoked by its CA. The CRL(s) are appended to the certificate file. With the -crl_check_all option all CRLs of all CAs

RE: Enabling s_server to use a local CRL file

Through 1.0.1, put the CRL in PEM format in CAfile (specified or defaulted) or in CApath (ditto) named or linked as $hash.r$num (c_rehash can do for you). I've never seen a CA distribute PEM so you almost certainly need to convert. And specify -crl_check or -crl_check_all (see the man pa

Enabling s_server to use a local CRL file

Hi, I would like to know how I can specify s_server to use a local CRL file. Do I need to specify a LDAP CRL distribution field in the certificate which is being checked against the CRL ? Thanks, Lakshmi. *** Please note that this message and any attachments may contain confidential and

Re: CRL generating server, not from command line

On Mar 18, 2014, at 2:19 PM, Clesmon University wrote: > Hello: > > What I can find online or in book "Network security with OpenSSL" is using > command line to generte a CRL. However, what I want to do is to let my > server receive a serial number from outside int

  1   2   3   4   5   6   7   >