Joacim Kosonen | 12 Jul 21:23 2013
Picon

Problem with openssl verify -crl_check for multiple CRLs

Hello,

I've encountered a strange problem with multiple CRLs and authentication. I've been using a script to download and prepare roughly 200 CRLs, placing them in the correct folder and rehashing them as is proper. I tell (in this case) freeradius to use the external command openssl verify -crl_check <Path>... etc and this works only in some cases. I've tested two different certificates, both revoked and only one is shown as revoked by openssl upon the client attempting to authenticate, while the other can connect just fine despited being revoked. 

I've been doing a lot of digging and I've come up short so far. I am admittedly a novice when it comes to openssl so I'm sure I'm overlooking something, but what reasons could there be for this issue? The certificates all have the distribution point extension, so my thought would be that the correct CRL would be looked up in the folder containing the hashes. What could I be doing wrong?

Kind regards,
Joacim Kosonen
Sean O'Neill | 4 Mar 19:32 2003

Re: Problem with OpenSSL 0.9.7a, Solaris 8 and "make do_solaris-shared"


>At 05:53 PM 3/4/2003 +0100, Laurent Blume wrote:
>>
>>Instead, I was just doing things like:
>>./config --prefix=/opt/openssl-0.9.7a shared
>>gmake
>>gmake test
>>gmake install

Yep, that fixed it :)  Thanks.

--
........................................................
......... ..- -. .. -..- .-. ..- .-.. . ... ............
.-- .. -. -... .-.. --- .-- ... -.. .-. --- --- .-.. ...

Sean O'Neill 

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

Paul Muntz | 10 May 18:18 2003
Picon

Re: Problem with OpenSSL - incorrect compiling or... ?

> Did you get as far as:
> 
> http://www.openssl.org/docs/crypto/pem.html#NOTES
> 
> there's an example there of what *NOT* to do :-)
> 
> Steve.
// **************************
FILE *F;
X509 *p;

F=fopen("t.PEM","r");
X509_free(p);
p=PEM_read_X509(F,NULL,0,NULL);
// **************************

So, in this case X509_free() crash - nothing for free, "p" is unitialized...
Does initialization of empty X509 structure must do PEM_read_  function ??? Possible it cannot work
with FILE, only BIO interface?

--

-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

Dr. Stephen Henson | 10 May 18:32 2003
Picon

Re: Problem with OpenSSL - incorrect compiling or... ?

On Sat, May 10, 2003, Paul Muntz wrote:

> > Did you get as far as:
> > 
> > http://www.openssl.org/docs/crypto/pem.html#NOTES
> > 
> > there's an example there of what *NOT* to do :-)
> > 
> > Steve.
> // **************************
> FILE *F;
> X509 *p;
> 
> F=fopen("t.PEM","r");
> X509_free(p);
> p=PEM_read_X509(F,NULL,0,NULL);
> // **************************
> 
> So, in this case X509_free() crash - nothing for free, "p" is unitialized...
> Does initialization of empty X509 structure must do PEM_read_  function ??? Possible it cannot work
> with FILE, only BIO interface?
> 
> 

That's expected X509_free() is attempting to free an X509 structure which
isn't valid because its pased an unitialized pointer.

Don't free 'p' just call PEM_read_X509().

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: shenson@..., PGP key: via homepage.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

Paul Muntz | 11 May 05:43 2003
Picon

Re: Problem with OpenSSL - incorrect compiling or... ?

> 
> That's expected X509_free() is attempting to free an X509 structure which
> isn't valid because its pased an unitialized pointer.
> 
> Don't free 'p' just call PEM_read_X509().
> 
> Steve.
> --

X509 *p;
FILE *F;
	F=fopen("t.PEM","r");
	p=PEM_read_X509(F,NULL,0,NULL);

Code above MUST work do, isn't it?
But it do not works. I think about error of DLLs while its compilated or conflict single/multithread(?)
routines. Why memory error happens in the MSVCRT.DLL? 
--

-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...


Gmane