OpenSSL与CRL一起使用,对于证书链中的某些CA,其CRL不包含在“TLSCRLFile”中

    在TLS服务器日志在GnuTLS对等(peer)的情况下:

    1. failed to accept an incoming connection: from 127.0.0.1: TLS handshake with 127.0.0.1 returned error code 1: \
    2.     file rsa_pk1.c line 103: error:0407006A: rsa routines:RSA_padding_check_PKCS1_type_1:\

    服务器运行期间CRL过期或到期

    • 到期前:
    • 过期后:
    1. cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
    2.     SSL_connect() returned SSL_ERROR_SSL: file s3_clnt.c line 1253: error:14090086:\
    3.     TLS write fatal alert "certificate expired"

    这里的意思是,使用有效的CRL,撤销的证书将被报告为“已撤销证书”。当CRL过期时,错误消息更改为“证书已过期”,这是相当误导的。

    • 过期前后相同:

    mbed TLS (PolarSSL), 在服务器日志中:

    • 到期前:
    1. cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
    • 过期后: