TLSCRLFile
En el registro del servidor TLS en el caso de un par OpenSSL:
no se pudo aceptar una conexión entrante: desde 127.0.0.1: el protocolo de enlace TLS con 127.0.0.1 devolvió el código de error 1: \
archivo s3_srvr.c línea 3251: error: 14089086: rutinas SSL: ssl3_get_client_certificate: verificación de certificado fallida: \
TLS escribe alerta fatal "CA desconocida"
En el registro del servidor TLS en el caso de un par GnuTLS:
no se pudo aceptar una conexión entrante: desde 127.0.0.1: el protocolo de enlace TLS con 127.0.0.1 devolvió el código de error 1: \
archivo rsa_pk1.c línea 103: error:0407006A: rutinas rsa:RSA_padding_check_PKCS1_type_1:\
el tipo de bloque no es el archivo 01 rsa_eay.c línea 705: error:04067072: rutinas rsa:RSA_EAY_PUBLIC_DECRYPT:paddin
OpenSSL, in server log:
cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
SSL_connect() returned SSL_ERROR_SSL: file s3_clnt.c line 1253: error:14090086:\
SSL routines:ssl3_get_server_certificate:certificate verify failed:\
TLS write fatal alert "certificate revoked"
cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
SSL_connect() returned SSL_ERROR_SSL: file s3_clnt.c line 1253: error:14090086:\
SSL routines:ssl3_get_server_certificate:certificate verify failed:\
TLS write fatal alert "certificate expired"
The point here is that with valid CRL a revoked certificate is reported as "certificate revoked". When CRL expires the error message changes to "certificate expired" which is quite misleading.
GnuTLS, in server log:
cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
invalid peer certificate: The certificate is NOT trusted. The certificate chain is revoked.
OpenSSL, in log:
error:'self signed certificate: SSL_connect() set result code to SSL_ERROR_SSL: file ../ssl/statem/statem_clnt.c\
line 1924: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:\
TLS write fatal alert "unknown CA"'
This was observed when server certificate by mistake had the same Issuer and Subject string, although it was signed by CA. Issuer and Subject are equal in top-level CA certificate, but they cannot be equal in server certificate. (The same applies to proxy and agent certificates.)