since I upgraded to openssl 1.0.1, the revocation check function in my application is broken. Using "apps / verfiy.c" I found that the loading of CRL files has changed, which I have done so far:
X509_LOOKUP *lookup; const char *crl_path = "/path/to/crls" X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new(); X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); SSL_CTX_set1_param(ctx, param); lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_hash_dir()); if (lookup == NULL) { return "CRL path initialization error: X509 lookup initialization failed."; } if(!X509_LOOKUP_add_dir(lookup, crl_path, X509_FILETYPE_PEM)) { return "CRL path initialization error: path addition failed."; } X509_VERIFY_PARAM_free(param);
Having done this, I always get the error message "CRL certificate could not be loaded."
However, in "apps / verify.c", CRL files are recently downloaded one at a time using the following code:
STACK_OF(X509_CRL) *crls; char *crlfile = "/path/to/single/crl" crls = load_crls(bio_err, crlfile, FORMAT_PEM, NULL, e, "other CRLs"); X509_STORE_CTX_set0_crls(csc, crls);
Does anyone know how CRL files can still be loaded using search routines (e.g. X509_LOOKUP_add_dir) and all at once according to the CRL path specification?
source share