Issue with CRL revocation check on server side
Hi Roumen,
I generated a CRL for the peer certificate, put it in the same folder as CARevocationPath
indicates and generated the hash value as required in the X509README file.
When I tried to use this revoked peer cert to connect to the server, instead of sending the error message, the cert just passed revocation check and I successfully logged in.
I was wondering if I could have your help here, I also added some details below:
The Environment I use:
- PKIXSSH v12.5.1
- server Raspbian Buster
- client Ubuntu 20.04
**The Cert structure I use:**
-
revcacert.pem ---> revusr.pem (peer)
-
ca.crl (this CRL revokes revusr.pem and is signed by revcacert.pem)
**The server configuration I use:**
in sshd_config:
- CARevocationPath /opt/pkix-ssh/etc/ca/crl
- CACertificatePath /opt/pkix-ssh/etc/ca/crt
- MandatoryCRL no
in CARevocationPath I have
- ca.crl
- crlHashValue.0
in CACertificatePath I have
- revcacert
- caHashValue.0
I checked the CRL with openssl verify
and it returned error 23 at 0 depth lookup: certificate revoked
. This is what I expected and it means this CRL works.
However, in the server's log, it shows:
Any thoughts?
Thanks,
Det2sial