问题描述

我正在使用的参考书(Viega，Messier和Chandra撰写的 Network Security with OpenSSL )指出:

The reference book that I'm working from (Network Security with OpenSSL, by Viega, Messier, and Chandra), on page 133, states:

我在OpenSSL文档中找不到关于它的任何可用信息(这不足为奇).在我看来，检查CRL应该是OpenSSL验证过程的自动部分.现在是自动处理CRL吗?还是我还必须仔细阅读本书中列出的所有垃圾内容，以努力地验证证书是否未被吊销?

I can't find any usable information about it in the OpenSSL documentation (no surprise there). It seems to me that checking the CRLs should be an automatic part of OpenSSL's verification process. Are CRLs handled automatically now, or must I still go through all the garbage listed in the book to laboriously verify that a certificate hasn't been revoked?

一个密切相关的问题:SSL_CTX_set_default_verify_paths函数是否也加载CRL路径?

A closely-related question: does the SSL_CTX_set_default_verify_paths function load CRL paths too?

推荐答案

SSL_CTX_set_default_verify_paths()仅加载CA路径，而不是CRL.

SSL_CTX_set_default_verify_paths() just loads CA paths, not CRLs.

我相信(尽管我自己尚未实际实施)正确的过程是:

I believe (though I have not yet actually implemented it myself) that the correct process is:

/* Load CRLs into the `X509_STORE` */

X509_STORE *x509_store = SSL_CTX_get_cert_store(ctx);
X509_STORE_add_crl(x509_store, crl);

/* Enable CRL checking */
X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
SSL_CTX_set1_param(ctx, param);
X509_VERIFY_PARAM_free(param);

这篇关于OpenSSL现在是否自动处理CRL(证书吊销列表)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！