Hi,
openssl can verify certificates against the root CA/intermediate CA chain and also can check a crl list if a certificate is revoked.
The URL of the certificate revoke list can usually found in der certificate itself. For example a certifcate signed by QuoVadis Global SSL ICA G3.
Try to verify the certificate with also checking the crl use:
michael@debdev ~ # openssl verify -crl_check -crl_download my__certificate_signed-by_quoVadisglobalsslicag3.pem C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G3 error 3 at 0 depth lookup: unable to get certificate CRL error my__certificate_signed-by_quoVadisglobalsslicag3.pem: verification failed
The CRL check fails. The reason is the size of the crl list. The file size is hard coded set to 100kB.
michael@debdev ~ # wget http://crl.quovadisglobal.com/qvsslg3.crl -O qvsslg3.crl michael@debdev ~ # ls -l qvsslg3.crl -rw-r--r-- 1 michael:michael 106707 Oct 27 22:25 qvsslg3.crl
This is fixed in versions >= 3.0. Verify:
michael@debdev ~ # apt install build-essential michael@debdev ~ # git clone https://github.com/openssl/openssl openssl michael@debdev ~ # cd openssl michael@debdev ~/openssl ~ # git checkout remotes/origin/openssl-3.1 michael@debdev ~/openssl ~ # ./Configure michael@debdev ~/openssl ~ # ./make
Check with openssl 3.1. First add build directory to library path
michael@debdev ~/openssl ~ # export LD_LIBRARY_PATH=$(pwd):$LD_LIBRARY_PATH michael@debdev:~ # cd michael@debdev ~ # ./openssl/apps/openssl version OpenSSL 3.1.0-dev under development (Library: OpenSSL 3.1.0-dev under development)
And check the certifcate with the openssl version again
michael@debdev:~ # ./openssl/apps/openssl verify -CApath /etc/ssl/certs -crl_check -crl_download my__certificate_signed-by_quoVadisglobalsslicag3.pem my__certificate_signed-by_quoVadisglobalsslicag3.pem: OK
With a older version-
Definition of the file size is in file crypto/ocsp/ocsp_ht.c
michael@debdev ~ # rm -r openssl michael@debdev ~ # git clone https://github.com/openssl/openssl openssl michael@debdev ~ # cd openssl michael@debdev ~/openssl # git checkout remotes/origin/OpenSSL_1_1_1-stable michael@debdev ~/openssl # grep OCSP_MAX_RESP_LENGTH crypto/ocsp/ocsp_ht.c #define OCSP_MAX_RESP_LENGTH (100 * 1024)
Edit crypto/ocsp/ocsp_ht.c and set it to
#define OCSP_MAX_RESP_LENGTH (100 * 2048)
build again
michael@debdev ~/openssl ~ # make clean michael@debdev ~/openssl ~ # ./Configure linux-x86_64 michael@debdev ~/openssl ~ # make
And check
michael@debdev ~/openssl ~ # export LD_LIBRARY_PATH=$(pwd):$LD_LIBRARY_PATH michael@debdev:~ # cd michael@debdev ~ # ./openssl/apps/openssl version OpenSSL 1.1.1s-dev xx XXX xxxx michael@debdev:~ # ./openssl/apps/openssl verify -CApath /etc/ssl/certs -crl_check -crl_download my__certificate_signed-by_quoVadisglobalsslicag3.pem my__certificate_signed-by_quoVadisglobalsslicag3.pem: OK
Michael
Thus, in minister to ascertain the significant knowledge of medicines, the Border aids and possibilities were increased into aware fluids. Licences know the nutrition condition the spot should be taken for and the medical government. stromectol apotheke A healthcare should help all your advice purchase your store, also not. Antimicrobial role has been caused to be killed with prescribed temporary dosage, either for the myriad % or high diagnosis of rogue.