2 Certificate problems

    OpenSSL used with CRLs and for some CA in the certificate chain its CRL is not included in TLSCRLFile

    In TLS server log in case of GnuTLS peer:

    1. failed to accept an incoming connection: from 127.0.0.1: TLS handshake with 127.0.0.1 returned error code 1: \

    CRL expired or expires during server operation

    • before expiration:
    • after expiration:
    1. cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
    2.            SSL routines:ssl3_get_server_certificate:certificate verify failed:\

    The point here is that with valid CRL a revoked certificate is reported as “certificate revoked”. When CRL expires the error message changes to “certificate expired” which is quite misleading.

    • before and after expiration the same:

    Self-signed certificate, unknown CA

    OpenSSL, in log:

    1. error:'self signed certificate: SSL_connect() set result code to SSL_ERROR_SSL: file ../ssl/statem/statem_clnt.c\
    2.              TLS write fatal alert "unknown CA"'