[openssl-users] openssl crl fails to parse a CRL file, which seems correct
Erwann Abalea
Erwann.Abalea at docusign.com
Thu Sep 15 09:18:06 UTC 2016
That’s a bug in the Issuer name length check.
Use the 1.1.0 version.
Cordialement,
Erwann Abalea
> Le 14 sept. 2016 à 14:31, Wouter Verhelst <wouter.verhelst at fedict.be> a écrit :
>
> Hi,
>
> (this is a resend because my MUA crashed while I tried to send this mail earlier. If you get it twice, my apologies)
>
> When I try to parse some of the CRLs at <http://crl.eid.belgium.be/>, I sometimes get this error:
>
> wouter at gangtai:~$ openssl version
> OpenSSL 1.0.2h 3 May 2016
> wouter at gangtai:~$ openssl crl -in eidc201203.crl -inform der -noout -text
> unable to load CRL
> 140694432685592:error:0D09E09B:asn1 encoding routines:X509_NAME_EX_D2I:too long:x_name.c:203:
> 140694432685592:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=issuer, Type=X509_CRL_INFO
> 140694432685592:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=crl, Type=X509_CRL
>
> This isn't the case for all of the CRLs, just for some of them; e.g., everything works fine for eidc201503.crl
>
> However, if I try the same on another machine nearby, which has a much older version of OpenSSL, then things seem to work fine:
>
> eidmac:~ buildslave$ openssl version
> OpenSSL 0.9.8zh 14 Jan 2016
> eidmac:~ buildslave$ openssl crl -in eidc201203.crl -inform der -noout -text | head
> Certificate Revocation List (CRL):
> Version 2 (0x1)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: /C=BE/CN=Citizen CA/serialNumber=201203
> Last Update: Sep 14 10:22:50 2016 GMT
> Next Update: Sep 21 10:22:50 2016 GMT
> CRL extensions:
> X509v3 Authority Key Identifier:
> keyid:7A:5F:3A:FF:2D:46:91:90:53:3F:BB:91:2D:29:82:ED:BB:78:6A:E0
>
> This machine is a mac running OSX 10.11, the OpenSSL is the default as shipped with that OS; the other is my personal laptop, which runs Debian unstable (and the openssl is again the default). I've reproduced the same issue on Debian stable, haven't tried much else yet.
>
> I've been trying to figure out why my OpenSSL fails to parse the CRL, whereas others do not,. Any hints would be greatly appreciated.
>
> Thanks,
>
> --
> Wouter Verhelst
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
More information about the openssl-users
mailing list