Hello again 03.12.2013 00:41, Алексей Прокопчук пишет:
I have own test CA based on EJBCA. Server and all client certificates which I tried to test were issued by this CA. Freshest CRL is embedded into ca.pem file which used as ca certificate in dovecot.conf.
Now I'm quite confused: apache works with these certificates as expected: accepts valid and refuses revoked. But with dovecot which yesterday accepts at least one certificate (which I revoked for testing) today rejects all others from same CA. Thanks for attention and excuse me that occupied your time. The problem was in CRL generated by EJBCA. Apparently, EJBCA and openSSL is not entirely compatible. When I remove CRL distribution point field from my EJBCA generated CRL, all works as expected: valid certificates accepted, revoked certificates rejected. And no problem with CRL scope, so fix from first reply doesn't needed, all works with initially installed openssl-1.0.1c
With regard to apache I think it checks certificate validity with OCSP. And I doesn't embed CRL in ca certificate for apache. Perhaps it would be nice to implement OCSP validity checking together with embedded CRL with possibility to choose which one will be used.
Thanks again, especially for a hint about openssl scope loop problem.
With best regards, Alexey Prokopchuk (AP8686-RIPE)