Hello, I was researching how expired CRLs affect revocation checking via openssl. * TEST #1: *The first test was to find out what status is returned when i verify a certificate against the CRL: [dan at canttouchthis PKI]$ openssl verify -CAfile CAS/cabundle.pem -CRLfile CRLS/ABC-expired.crl -crl_check CERTS/0x500c8bd-revoked.pem *CERTS/0x500c8bd-revoked.pem: C = us, O = ORG, OU = LAB, OU = ABC, OU = D002, CN = test error 12 at 0 depth lookup:CRL has expiredC = us, O = ORG, OU = LAB, OU = ABC, OU = D002, CN = test error 23 at 0 depth lookup:certificate revoked* as you can see the client *WAS* informed the certificate was *revoked*, even though the CRL was expired. *TEST #2: *Next test was using OCSP: [dan at canttouchthis PKI]$ openssl ocsp -CAfile CAS/cabundle.pem -VAfile VAS/def_ocsp.pem -issuer CAS/IC\ ABC\ CA3\ DEV.cer -cert CERTS/0x500c8bd-revoked.pem -url http://ocspresponder:8080 *Response verify OK CERTS/0x500c8bd-revoked.pem: unknown This Update: Dec 9 20:48:26 2015 GMT* as you can see the client *was NOT *informed the certificate was revoked. We are using a 3rd party vendors OCSP service, and I am of the opinion that an OCSP service should provide a revoked response regardless of the time validity of the CRL. I have read RFC 2560 & 6960 many times, and have not been able to find explicit guidance on this scenario. I am interested in the community opinion on this issue, and any pertinent mandatory guidance. My end goal is either to convince our vendor to provide a revoked status regardless of the CRLs expiration OR justify why an OCSP service should ignore issuers with expired CRLs. I'm looking forward to any feedback provided. --Dan -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151210/0b9ad628/attachment.html>
