[openssl-dev] openssl 1.0.2h: Parsing really large CRLs fails, side effect of change in x_name.c?
Jürgen Brauckmann
brauckmann at dfn-cert.de
Wed May 4 13:52:06 UTC 2016
[double-post; sent this previously to rt at openssl.org, and didn't get a
ticket reply or something. As I feel that potentially a large number of
people is affected, e.g. via Apache crl parsing etc., re-sent to
openssl-dev.]
Hi.
Openssl 1.0.2h cannot parse really large CRLs anymore. "Really large"
means > some 1MB.
It seems as if the new check in line 202 in x_name.c, commited 5 days
ago, has a side effect beyond name decoding:
https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/crypto/asn1/x_name.c#L202
# openssl crl -in large_crl.pem
unable to load CRL
3078178440:error:0D09E09B:asn1 encoding routines:X509_NAME_EX_D2I:too
long:x_name.c:203:
3078178440:error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:tasn_dec.c:697:Field=issuer, Type=X509_CRL_INFO
3078178440:error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:tasn_dec.c:697:Field=crl, Type=X509_CRL
3078178440:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
lib:pem_oth.c:83:
[root at strangepork ~]# /services/inst/openssl/openssl-1.0.2g/bin/openssl
crl -out c -in cacrl.pem
[root at strangepork ~]# /services/inst/openssl/openssl-1.0.2h/bin/openssl
crl -out c -in cacrl.pem
unable to load CRL
All name structures in "large_crl.pem" have normal sizes, but the crl
contains a large number of revoked certificates:
# openssl-102g crl -in large_crl.pem -noout -issuer
issuer=/C=DE/O=client-1/CN=Testinstanz client-1
# openssl-102g crl -in large_crl.pem -noout | grep "Revocation Date:" |
wc -l
49813
Best regards,
Jürgen
More information about the openssl-dev
mailing list