[openssl-users] openssl crl fails to parse a CRL file, which seems correct
Wouter Verhelst
wouter.verhelst at fedict.be
Wed Sep 14 12:31:22 UTC 2016
Hi,
(this is a resend because my MUA crashed while I tried to send this mail
earlier. If you get it twice, my apologies)
When I try to parse some of the CRLs at <http://crl.eid.belgium.be/>, I
sometimes get this error:
wouter at gangtai:~$ openssl version
OpenSSL 1.0.2h 3 May 2016
wouter at gangtai:~$ openssl crl -in eidc201203.crl -inform der -noout -text
unable to load CRL
140694432685592:error:0D09E09B:asn1 encoding
routines:X509_NAME_EX_D2I:too long:x_name.c:203:
140694432685592:error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:tasn_dec.c:697:Field=issuer, Type=X509_CRL_INFO
140694432685592:error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:tasn_dec.c:697:Field=crl, Type=X509_CRL
This isn't the case for all of the CRLs, just for some of them; e.g.,
everything works fine for eidc201503.crl
However, if I try the same on another machine nearby, which has a much
older version of OpenSSL, then things seem to work fine:
eidmac:~ buildslave$ openssl version
OpenSSL 0.9.8zh 14 Jan 2016
eidmac:~ buildslave$ openssl crl -in eidc201203.crl -inform der -noout
-text | head
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=BE/CN=Citizen CA/serialNumber=201203
Last Update: Sep 14 10:22:50 2016 GMT
Next Update: Sep 21 10:22:50 2016 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:7A:5F:3A:FF:2D:46:91:90:53:3F:BB:91:2D:29:82:ED:BB:78:6A:E0
This machine is a mac running OSX 10.11, the OpenSSL is the default as
shipped with that OS; the other is my personal laptop, which runs Debian
unstable (and the openssl is again the default). I've reproduced the
same issue on Debian stable, haven't tried much else yet.
I've been trying to figure out why my OpenSSL fails to parse the CRL,
whereas others do not,. Any hints would be greatly appreciated.
Thanks,
--
Wouter Verhelst
More information about the openssl-users
mailing list