problems with s_client recognizing revoked intermediate/subordinate ca

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/03/2016 20:11, michael at secure-mail.biz wrote:
> Hey openssl users,
>
> I am testing with revoking certificates.
>
> My PKI has a root and 2 intermediates, which then sign server and 
> client certificates
> My test environment consists of a s_client and a s_server referencing 
> the corresponding files and a verifydir with c_rehased files.
> TLS connections work fine from s_client to s_server, chain is exposed 
> and recognized properly.
>
> I successfully revoked server-certificates with the intermediate ca crl.
> When trying to connect using the s_client "-crl_check" arg the 
> "certificate revoked" notification shows up correctly.
>
> I also successfully created a crl with the root ca, that revokes one 
> of the intermediates.
> The serialnumber of the revoked intermediate is shown correctly in the 
> crl and the crl is c_rehashed in the verify dir of the client.
> But no matter what i try, the s_client does NOT show the "certificate 
> revoked" when I connect to the corresponding s_server using the 
> certificate signed by the revoked intermediate.
>
> Any ideas what i could be doing wrong?

Make sure the intermediary is not included in the "CA storage"
(hashed or single file) used by the client.  Anything in that
storage is considered valid and not checked for revocation or
validity.

>
> I am on version OpenSSL 1.0.1f 6 Jan 2014
>
That's a bit old.

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 S?borg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux