packing CA CRL in pkcs12 format ??

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

packing CA CRL in pkcs12 format ??

Raj Singh-5
Hi All,
I just want to pack CA CRL in .p12 cert. But i m not able to find any option for this in `openssl pkcs12`.
Even i gone through apps/pkcs12.c  but not able to find.
Any suggestions ??

Thanks in advance.

Njoy #
RSJ
Reply | Threaded
Open this post in threaded view
|

Re: packing CA CRL in pkcs12 format ??

upinder singh
Hi Rajeshwar,
 
Are you from IIT Mumbai and are you the Rajeshwar I know.
 
Regards
Maj Gill

Rajeshwar Singh Jenwar <[hidden email]> wrote:
Hi All,
I just want to pack CA CRL in .p12 cert. But i m not able to find any option for this in `openssl pkcs12`.
Even i gone through apps/pkcs12.c  but not able to find.
Any suggestions ??

Thanks in advance.

Njoy #
RSJ


Enjoy this Diwali with Y! India Click here
Reply | Threaded
Open this post in threaded view
|

Re: packing CA CRL in pkcs12 format ??

Dr. Stephen Henson
In reply to this post by Raj Singh-5
On Fri, Nov 04, 2005, Rajeshwar Singh Jenwar wrote:

> Hi All,
> I just want to pack CA CRL in .p12 cert. But i m not able to find any option
> for this in `openssl pkcs12`.
> Even i gone through apps/pkcs12.c but not able to find.
> Any suggestions ??
>

It isn't currently supported neither can the simple PKCS12_create() function
handle it. There is some code which will pack CRLs in the low level APIs
though.

The easiest way to make that work would be to hack the OpenSSL 0.9.7X pkcs12.c
sources.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

revoking certs and generating crl's

david kine
In reply to this post by Raj Singh-5
In the book "Network Security with OpenSSL" on pages
124-125 is a list of OpenSSL commands to create a root
CA, and a server CA signed with the root CA.

My question is, how would I use the openssl CA command
to revoke the server CA certificate by the root CA,
and generate a CRL?  

I have tried "openssl ca -revoke ....." and "openssl
ca -crl ......" without success.

----

Here are the commands to create the root CA:

1.  openssl req -newkey rsa:1024 -sha1 -keyout
rootkey.pem -out rootreq.pem

2.  openssl x509 -req -in rootreq.pem -sha1
-extensions v3_ca -signkey rootkey.pem -out
rootcert.pem

3.  cat rootcert.pem rootkey.pem > root.pem

And to create the server CA signed by the root CA:

4.  openssl req -newkey rsa:1024 -sha1 -keyout
serverCAkey.pem -out serverCAreq.pem

5.  openssl x509 -req -in serverCAreq.pem -sha1
-extensions v3_ca -CA root.pem -CAkey root.pem
-CAcreateserial -out serverCAcert.pem

6.  cat serverCAcert.pem serverCAkey.pem rootcert.pem
> serverCA.pem




               
__________________________________
Start your day with Yahoo! - Make it your home page!
http://www.yahoo.com/r/hs
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: revoking certs and generating crl's

Dr. Stephen Henson
On Tue, Nov 08, 2005, david kine wrote:

> In the book "Network Security with OpenSSL" on pages
> 124-125 is a list of OpenSSL commands to create a root
> CA, and a server CA signed with the root CA.
>
> My question is, how would I use the openssl CA command
> to revoke the server CA certificate by the root CA,
> and generate a CRL?  
>
> I have tried "openssl ca -revoke ....." and "openssl
> ca -crl ......" without success.
>
> ----
>
> Here are the commands to create the root CA:
>
> 1.  openssl req -newkey rsa:1024 -sha1 -keyout
> rootkey.pem -out rootreq.pem
>
> 2.  openssl x509 -req -in rootreq.pem -sha1
> -extensions v3_ca -signkey rootkey.pem -out
> rootcert.pem
>
> 3.  cat rootcert.pem rootkey.pem > root.pem
>
> And to create the server CA signed by the root CA:
>
> 4.  openssl req -newkey rsa:1024 -sha1 -keyout
> serverCAkey.pem -out serverCAreq.pem
>
> 5.  openssl x509 -req -in serverCAreq.pem -sha1
> -extensions v3_ca -CA root.pem -CAkey root.pem
> -CAcreateserial -out serverCAcert.pem
>
> 6.  cat serverCAcert.pem serverCAkey.pem rootcert.pem
> > serverCA.pem
>

The 'ca -gencrl' option will only directly work on a CA that is generated by
the 'ca' command. Some guides still tell you to create certificates manually
using the 'x509' command.

If you can instead use the CA.pl script to generate the certificates then the
revoke and gencrl options should work.

Alternatively if you need to use the existing certificates you can create the
necessary structure with CA.pl -newca and give it the root CA certificate file
when prompted.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: revoking certs and generating crl's

david kine
I'm attempting to use CA.pl on a Solaris 10 Sparc
system.  OpenSSL is provided on the distribution CD's
(OpenSSL 0.9.7d 17 Mar 2004).  I use the following
commands:

1.  CA.pl -newca
2.  CA.pl -newreq
3.  CA.pl -signreq      {problems at this step}

During the signreq, the program cannot open the CA
private key and produces a core file:

---------

Using configuration from /etc/sfw/openssl/openssl.cnf
Error opening CA private key
/etc/sfw/openssl/private/cakey.pem
20715:error:0E06D06C:configuration file
routines:NCONF_get_string:no
value:/on10/builds/on10_74l3/usr/src/common/openssl/crypto/conf/conf_lib.c:329:group=CA_default
name=unique_subject
20715:error:0200100D:system library:fopen:Permission
denied:/on10/builds/on10_74l3/usr/src/common/openssl/crypto/bio/bss_file.c:276:fopen('/etc/sfw/openssl/private/cakey.pem','r')
20715:error:20074002:BIO routines:FILE_CTRL:system
lib:/on10/builds/on10_74l3/usr/src/common/openssl/crypto/bio/bss_file.c:278:
unable to load CA private key
Signed certificate is in newcert.pem

------

The file "newcert.pem" is not created.

The CA private key apparently is contained in
"./demoCA/private/cakey.pem".

Should I use a custom openssl.cnf to fix this problem?
 Or modify CA.pl?

Thanks,

-David



--- "Dr. Stephen Henson" <[hidden email]> wrote:

> On Tue, Nov 08, 2005, david kine wrote:
>
> > In the book "Network Security with OpenSSL" on
> pages
> > 124-125 is a list of OpenSSL commands to create a
> root
> > CA, and a server CA signed with the root CA.
> >
> > My question is, how would I use the openssl CA
> command
> > to revoke the server CA certificate by the root
> CA,
> > and generate a CRL?  
> >
> > I have tried "openssl ca -revoke ....." and
> "openssl
> > ca -crl ......" without success.
> >
> > ----
> >
> > Here are the commands to create the root CA:
> >
> > 1.  openssl req -newkey rsa:1024 -sha1 -keyout
> > rootkey.pem -out rootreq.pem
> >
> > 2.  openssl x509 -req -in rootreq.pem -sha1
> > -extensions v3_ca -signkey rootkey.pem -out
> > rootcert.pem
> >
> > 3.  cat rootcert.pem rootkey.pem > root.pem
> >
> > And to create the server CA signed by the root CA:
> >
> > 4.  openssl req -newkey rsa:1024 -sha1 -keyout
> > serverCAkey.pem -out serverCAreq.pem
> >
> > 5.  openssl x509 -req -in serverCAreq.pem -sha1
> > -extensions v3_ca -CA root.pem -CAkey root.pem
> > -CAcreateserial -out serverCAcert.pem
> >
> > 6.  cat serverCAcert.pem serverCAkey.pem
> rootcert.pem
> > > serverCA.pem
> >
>
> The 'ca -gencrl' option will only directly work on a
> CA that is generated by
> the 'ca' command. Some guides still tell you to
> create certificates manually
> using the 'x509' command.
>
> If you can instead use the CA.pl script to generate
> the certificates then the
> revoke and gencrl options should work.
>
> Alternatively if you need to use the existing
> certificates you can create the
> necessary structure with CA.pl -newca and give it
> the root CA certificate file
> when prompted.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys:
> see homepage
> OpenSSL project core developer and freelance
> consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
>
______________________________________________________________________
> OpenSSL Project                                
> http://www.openssl.org
> User Support Mailing List                  
> [hidden email]
> Automated List Manager                          
> [hidden email]
>



       
               
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: revoking certs and generating crl's

Dr. Stephen Henson
On Wed, Nov 09, 2005, david kine wrote:

> I'm attempting to use CA.pl on a Solaris 10 Sparc
> system.  OpenSSL is provided on the distribution CD's
> (OpenSSL 0.9.7d 17 Mar 2004).  I use the following
> commands:
>
> 1.  CA.pl -newca
> 2.  CA.pl -newreq
> 3.  CA.pl -signreq      {problems at this step}
>
> During the signreq, the program cannot open the CA
> private key and produces a core file:
>
> ---------
>
> Using configuration from /etc/sfw/openssl/openssl.cnf
> Error opening CA private key
> /etc/sfw/openssl/private/cakey.pem
> 20715:error:0E06D06C:configuration file
> routines:NCONF_get_string:no
> value:/on10/builds/on10_74l3/usr/src/common/openssl/crypto/conf/conf_lib.c:329:group=CA_default
> name=unique_subject
> 20715:error:0200100D:system library:fopen:Permission
> denied:/on10/builds/on10_74l3/usr/src/common/openssl/crypto/bio/bss_file.c:276:fopen('/etc/sfw/openssl/private/cakey.pem','r')
> 20715:error:20074002:BIO routines:FILE_CTRL:system
> lib:/on10/builds/on10_74l3/usr/src/common/openssl/crypto/bio/bss_file.c:278:
> unable to load CA private key
> Signed certificate is in newcert.pem
>
> ------
>
> The file "newcert.pem" is not created.
>
> The CA private key apparently is contained in
> "./demoCA/private/cakey.pem".
>
> Should I use a custom openssl.cnf to fix this problem?
>  Or modify CA.pl?
>

Looks like they've modified openssl.cnf already but haven't changed CA.pl to
suit.

You could try a standard openssl.cnf (e.g. from a standard distribution on
www.openssl.org) and using the OPENSSL_CONF environment variable to point to it.

Alternatively try compiling up a more recent version of OpenSSL and using
that.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: revoking certs and generating crl's

david kine
I've switched over to a Linux system running OpenSSL
0.9.7a Feb 19 2003, and copied the CA.pl from Solaris,
now everything works fine.

Going back to my original question, I need to create a
root CA, then create a server CA (signed with the root
CA), then create a server certificate (signed with the
server CA).

Just like the examples in "Programming with SSL",
pages 125 and 125.

Then I will need to revoke the server CA and create a
crl.

So my question is, given that CA.pl creates a root CA,
how do I create the server CA?  Then create a server
certificate signed with the server CA?

-David



--- "Dr. Stephen Henson" <[hidden email]> wrote:

> On Wed, Nov 09, 2005, david kine wrote:
>
> > I'm attempting to use CA.pl on a Solaris 10 Sparc
> > system.  OpenSSL is provided on the distribution
> CD's
> > (OpenSSL 0.9.7d 17 Mar 2004).  I use the following
> > commands:
> >
> > 1.  CA.pl -newca
> > 2.  CA.pl -newreq
> > 3.  CA.pl -signreq      {problems at this step}
> >
> > During the signreq, the program cannot open the CA
> > private key and produces a core file:
> >
> > ---------
> >
> > Using configuration from
> /etc/sfw/openssl/openssl.cnf
> > Error opening CA private key
> > /etc/sfw/openssl/private/cakey.pem
> > 20715:error:0E06D06C:configuration file
> > routines:NCONF_get_string:no
> >
>
value:/on10/builds/on10_74l3/usr/src/common/openssl/crypto/conf/conf_lib.c:329:group=CA_default
> > name=unique_subject
> > 20715:error:0200100D:system
> library:fopen:Permission
> >
>
denied:/on10/builds/on10_74l3/usr/src/common/openssl/crypto/bio/bss_file.c:276:fopen('/etc/sfw/openssl/private/cakey.pem','r')
> > 20715:error:20074002:BIO routines:FILE_CTRL:system
> >
>
lib:/on10/builds/on10_74l3/usr/src/common/openssl/crypto/bio/bss_file.c:278:

> > unable to load CA private key
> > Signed certificate is in newcert.pem
> >
> > ------
> >
> > The file "newcert.pem" is not created.
> >
> > The CA private key apparently is contained in
> > "./demoCA/private/cakey.pem".
> >
> > Should I use a custom openssl.cnf to fix this
> problem?
> >  Or modify CA.pl?
> >
>
> Looks like they've modified openssl.cnf already but
> haven't changed CA.pl to
> suit.
>
> You could try a standard openssl.cnf (e.g. from a
> standard distribution on
> www.openssl.org) and using the OPENSSL_CONF
> environment variable to point to it.
>
> Alternatively try compiling up a more recent version
> of OpenSSL and using
> that.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys:
> see homepage
> OpenSSL project core developer and freelance
> consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
>


               
__________________________________
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: revoking certs and generating crl's

Dr. Stephen Henson
On Wed, Nov 09, 2005, david kine wrote:

> I've switched over to a Linux system running OpenSSL
> 0.9.7a Feb 19 2003, and copied the CA.pl from Solaris,
> now everything works fine.
>
> Going back to my original question, I need to create a
> root CA, then create a server CA (signed with the root
> CA), then create a server certificate (signed with the
> server CA).
>
> Just like the examples in "Programming with SSL",
> pages 125 and 125.
>
> Then I will need to revoke the server CA and create a
> crl.
>
> So my question is, given that CA.pl creates a root CA,
> how do I create the server CA?  Then create a server
> certificate signed with the server CA?
>

Create a new certificate request for the server CA. Then sign it with:

CA.pl -signca

Then in a different directory run CA.pl -newca again and supply it with the
server certificate filename.

Then you will have two separate CA directories where you can issue
certificates for each CA.

If you want to revoke the server CA you would do that from the root CA
directory using "openssl ca -revoke" and "openssl ca -gencrl"

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: revoking certs and generating crl's

david kine
Very clever, thanks for the tips.

-David


--- "Dr. Stephen Henson" <[hidden email]> wrote:

> On Wed, Nov 09, 2005, david kine wrote:
>
> > I've switched over to a Linux system running
> OpenSSL
> > 0.9.7a Feb 19 2003, and copied the CA.pl from
> Solaris,
> > now everything works fine.
> >
> > Going back to my original question, I need to
> create a
> > root CA, then create a server CA (signed with the
> root
> > CA), then create a server certificate (signed with
> the
> > server CA).
> >
> > Just like the examples in "Programming with SSL",
> > pages 125 and 125.
> >
> > Then I will need to revoke the server CA and
> create a
> > crl.
> >
> > So my question is, given that CA.pl creates a root
> CA,
> > how do I create the server CA?  Then create a
> server
> > certificate signed with the server CA?
> >
>
> Create a new certificate request for the server CA.
> Then sign it with:
>
> CA.pl -signca
>
> Then in a different directory run CA.pl -newca again
> and supply it with the
> server certificate filename.
>
> Then you will have two separate CA directories where
> you can issue
> certificates for each CA.
>
> If you want to revoke the server CA you would do
> that from the root CA
> directory using "openssl ca -revoke" and "openssl ca
> -gencrl"
>
> Steve.
> --



       
               
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Loading CRL's into client application

david kine
I have a secure client application that loads a pkcs12
file containing client cert, client key, and trusted
root CA's.  It works perfectly, connecting only to
servers signed by the trusted CA's.

However, when I load a single CRL file, then all
connections fail:

"unable to get certificate CRL"
"SSL_connect error 1,
error:00000001:lib(0):func(0):reason(1)"
"SSL error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed"

The certificates are generated with CA.pl, and the CRL
with openssl CA utilities.

The code to load the CRL (with error checking removed
here), assuming pSSL_CTX is the SSL context and
file.crl is the CRL file:

-----

X509_STORE *pStore = SSL_CTX_get_cert_store( pSSL_CTX
);

X509_LOOKUP *pLookup = X509_STORE_add_lookup(
    pStore, X509_LOOKUP_file()
);

X509_load_crl_file( pLookup, "file.crl",
X509_FILETYPE_ASN1)

X509_STORE_set_flags(
    pStore, X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL
);

----

Am I missing a step or doing something incorrectly?

I am running OpenSSL 0.9.7d 17 Mar 2004 on Solaris 10
(Sparc).

-David



               
__________________________________
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Loading CRL's into client application

Dr. Stephen Henson
On Wed, Nov 09, 2005, david kine wrote:

> I have a secure client application that loads a pkcs12
> file containing client cert, client key, and trusted
> root CA's.  It works perfectly, connecting only to
> servers signed by the trusted CA's.
>
> However, when I load a single CRL file, then all
> connections fail:
>
> "unable to get certificate CRL"
> "SSL_connect error 1,
> error:00000001:lib(0):func(0):reason(1)"
> "SSL error: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed"
>
> The certificates are generated with CA.pl, and the CRL
> with openssl CA utilities.
>
> The code to load the CRL (with error checking removed
> here), assuming pSSL_CTX is the SSL context and
> file.crl is the CRL file:
>
> -----
>
> X509_STORE *pStore = SSL_CTX_get_cert_store( pSSL_CTX
> );
>
> X509_LOOKUP *pLookup = X509_STORE_add_lookup(
>     pStore, X509_LOOKUP_file()
> );
>
> X509_load_crl_file( pLookup, "file.crl",
> X509_FILETYPE_ASN1)
>
> X509_STORE_set_flags(
>     pStore, X509_V_FLAG_CRL_CHECK |
> X509_V_FLAG_CRL_CHECK_ALL
> );
>
> ----
>
> Am I missing a step or doing something incorrectly?
>
> I am running OpenSSL 0.9.7d 17 Mar 2004 on Solaris 10
> (Sparc).
>

If you set the option X509_V_FLAG_CRL_CHECK it only has to check the end
entity certificate (server of client) against a CRL. If you set
X509_V_FLAG_CRL_CHECK_ALL as well (as you've done above) you need CRLs for the
complete chain.

So my guess is there's a certificate in the chain which doesn't have a
corresponding CRL.

Also check the return value of X509_load_crl_file() to see if its loaded
correctly.

BTW the option above would load a DER (binary) format CRL whereas the default
output of -gencrl is PEM.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Loading CRL's into client application

david kine
I tried your suggestion to set only
X509_V_FLAG_CRL_CHECK, but unfortunately it did not
help.  Attempting to connect to ANY secure server
still causes the same "unable to get certificate CRL"
error.

I know that the CRL is loaded successfully, because I
can later extract it from the SSL_CTX and print its
issuer using  X509_NAME_oneline( X509_CRL_get_issuer()
).

(The original PEM CRL was converted to DER as you
noticed).

I tried an experiment where I do NOT load the CRL, but
I DO set the X509_V_FLAG_CRL_CHECK flag.  The same
error occurs: cannot connect to any secure server,
with the "unable to get certificate CRL" message.
Perhaps this is a clue.

To summarize, my program works perfectly unless I set
the X509_V_FLAG_CRL_CHECK flag, whether or not I add a
CRL using X509_load_crl_file().

-David



--- "Dr. Stephen Henson" <[hidden email]> wrote:

> On Wed, Nov 09, 2005, david kine wrote:
>
> > I have a secure client application that loads a
> pkcs12
> > file containing client cert, client key, and
> trusted
> > root CA's.  It works perfectly, connecting only to
> > servers signed by the trusted CA's.
> >
> > However, when I load a single CRL file, then all
> > connections fail:
> >
> > "unable to get certificate CRL"
> > "SSL_connect error 1,
> > error:00000001:lib(0):func(0):reason(1)"
> > "SSL error: error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> > verify failed"
> >
> > The certificates are generated with CA.pl, and the
> CRL
> > with openssl CA utilities.
> >
> > The code to load the CRL (with error checking
> removed
> > here), assuming pSSL_CTX is the SSL context and
> > file.crl is the CRL file:
> >
> > -----
> >
> > X509_STORE *pStore = SSL_CTX_get_cert_store(
> pSSL_CTX
> > );
> >
> > X509_LOOKUP *pLookup = X509_STORE_add_lookup(
> >     pStore, X509_LOOKUP_file()
> > );
> >
> > X509_load_crl_file( pLookup, "file.crl",
> > X509_FILETYPE_ASN1)
> >
> > X509_STORE_set_flags(
> >     pStore, X509_V_FLAG_CRL_CHECK |
> > X509_V_FLAG_CRL_CHECK_ALL
> > );
> >
> > ----
> >
> > Am I missing a step or doing something
> incorrectly?
> >
> > I am running OpenSSL 0.9.7d 17 Mar 2004 on Solaris
> 10
> > (Sparc).
> >
>
> If you set the option X509_V_FLAG_CRL_CHECK it only
> has to check the end
> entity certificate (server of client) against a CRL.
> If you set
> X509_V_FLAG_CRL_CHECK_ALL as well (as you've done
> above) you need CRLs for the
> complete chain.
>
> So my guess is there's a certificate in the chain
> which doesn't have a
> corresponding CRL.
>
> Also check the return value of X509_load_crl_file()
> to see if its loaded
> correctly.
>
> BTW the option above would load a DER (binary)
> format CRL whereas the default
> output of -gencrl is PEM.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys:
> see homepage
> OpenSSL project core developer and freelance
> consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
>
______________________________________________________________________
> OpenSSL Project                                
> http://www.openssl.org
> User Support Mailing List                  
> [hidden email]
> Automated List Manager                          
> [hidden email]
>



       
               
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Loading CRL's into client application

Dr. Stephen Henson
On Thu, Nov 10, 2005, david kine wrote:

> I tried your suggestion to set only
> X509_V_FLAG_CRL_CHECK, but unfortunately it did not
> help.  Attempting to connect to ANY secure server
> still causes the same "unable to get certificate CRL"
> error.
>
> I know that the CRL is loaded successfully, because I
> can later extract it from the SSL_CTX and print its
> issuer using  X509_NAME_oneline( X509_CRL_get_issuer()
> ).
>
> (The original PEM CRL was converted to DER as you
> noticed).
>
> I tried an experiment where I do NOT load the CRL, but
> I DO set the X509_V_FLAG_CRL_CHECK flag.  The same
> error occurs: cannot connect to any secure server,
> with the "unable to get certificate CRL" message.
> Perhaps this is a clue.
>
> To summarize, my program works perfectly unless I set
> the X509_V_FLAG_CRL_CHECK flag, whether or not I add a
> CRL using X509_load_crl_file().
>

Does the CRL cover the server certificate in question?

I'd suggest extracting a server chain using the -showcerts option to s_client.

The pass the chain to "openssl verify", include the CRL and see if you can get
the crl_check option to work with that.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Loading CRL's into client application

david kine
Okay, I solved this problem in a very unexpected way.

First of all, I was using s_server incorrectly.  I
neglected to add -CAfile.  Doing so caused my
application to get the error "23: certificate revoked"
as expected.

However, accessing servers which were NOT revoked
still produced the error "3: unable to get certificate
CRL".

I solved this problem in my SSL verify callback
function by checking for error == 3, and returning
true.  In other words, by simply ignoring the error!

Thanks for all the help,

-David


--- "Dr. Stephen Henson" <[hidden email]> wrote:

> On Thu, Nov 10, 2005, david kine wrote:
>
> > I tried your suggestion to set only
> > X509_V_FLAG_CRL_CHECK, but unfortunately it did
> not
> > help.  Attempting to connect to ANY secure server
> > still causes the same "unable to get certificate
> CRL"
> > error.
> >
> > I know that the CRL is loaded successfully,
> because I
> > can later extract it from the SSL_CTX and print
> its
> > issuer using  X509_NAME_oneline(
> X509_CRL_get_issuer()
> > ).
> >
> > (The original PEM CRL was converted to DER as you
> > noticed).
> >
> > I tried an experiment where I do NOT load the CRL,
> but
> > I DO set the X509_V_FLAG_CRL_CHECK flag.  The same
> > error occurs: cannot connect to any secure server,
> > with the "unable to get certificate CRL" message.
> > Perhaps this is a clue.
> >
> > To summarize, my program works perfectly unless I
> set
> > the X509_V_FLAG_CRL_CHECK flag, whether or not I
> add a
> > CRL using X509_load_crl_file().
> >
>
> Does the CRL cover the server certificate in
> question?
>
> I'd suggest extracting a server chain using the
> -showcerts option to s_client.
>
> The pass the chain to "openssl verify", include the
> CRL and see if you can get
> the crl_check option to work with that.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys:
> see homepage
> OpenSSL project core developer and freelance
> consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
>
______________________________________________________________________
> OpenSSL Project                                
> http://www.openssl.org
> User Support Mailing List                  
> [hidden email]
> Automated List Manager                          
> [hidden email]
>



               
__________________________________
Start your day with Yahoo! - Make it your home page!
http://www.yahoo.com/r/hs
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Loading CRL's into client application

Dr. Stephen Henson
On Thu, Nov 10, 2005, david kine wrote:

> Okay, I solved this problem in a very unexpected way.
>
> First of all, I was using s_server incorrectly.  I
> neglected to add -CAfile.  Doing so caused my
> application to get the error "23: certificate revoked"
> as expected.
>
> However, accessing servers which were NOT revoked
> still produced the error "3: unable to get certificate
> CRL".
>
> I solved this problem in my SSL verify callback
> function by checking for error == 3, and returning
> true.  In other words, by simply ignoring the error!
>

That would mean that a certificate which you didn't have a valid CRL for would
be regarded as valid so its not a good idea.

Some older versions of OpenSSL didn't process the CRL_CHECK_ALL flag correctly
so I'd suggest trying a newer version.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]