[openssl-users] CRL list with size more than 4MB

Hristiyan Kirov HKirov at technologica.com
Wed May 3 09:11:58 UTC 2017


Hello,

We have a system in which the access control is done via SSL certificates. The end-users provide their personal certificate and we let them in. We have Oracle Linux 6.8 with apache 2.4 and openssl 1.0.1e. We have problem with one of the issuers of certificates (CA) in our country. Their CRL files are larger than 4MB. When a client with certificate issued from them try to login the following error is generated:

[Wed Apr 12 18:48:37.694046 2017] [ssl:info] [pid 9123] [client xxxxxxxxxxx:51018] AH02276: Certificate Verification: Error (3): unable to get certificate CRL

Other users with certificates from other issuers (CAs) are able to login correctly.

Our apache is configured with the following directives:
SSLCARevocationCheck       leaf
SSLCARevocationPath        /etc/rh/root/etc/httpd24/conf/keystore/crl/

and in SSLCARevocationPath we have symbolic links to the CRL file named hash-value.rN. The CRL files are downloaded everyday via crontab. All CRL files (except the ones from problematic CA) are smaller than 4MB.
We found a documentation from Oracle that their Oracle HTTP Server (based on apache) is not able to process CRL files larger than 4MB.

One additional comment, we have a similar legacy system but with apache 2.2 and openssl 0.9.8 and the login is successful there with CRLs larger than 4MB - but we assume that this is during the fact that in apache 2.2 if there is no CRL, the system will let you pass.

We can provide more information for the problem and trace files from openssl commands that checks the certificates but after weeks of troubleshooting we came up to the size of the revocation list...
So, have any of you guys managed to process correctly CRL file larger than 4MB?
Thanks

Regards,
Hristiyan Kirov

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170503/ed0731de/attachment.html>


More information about the openssl-users mailing list