[openssl-users] Something causing "Error 12"/Expired CRL during CRL processing

[o haya]

Hi,

I wasn't sure which mailing list would be most appropriate, so I had posted about this originally on the Apache mailing list earlier.  I haven't gotten any feedback on that, so I'm posting here in the hopes that someone might have some idea about what might be causing the problems we're seeing.



Anyway, we are upgrading some of our Apache instances to 2.4.16 (on Redhat) and OpenSSL from 0.9.8x to 1.0.1e, at the same time, mostly because we want to enable TLS, and we are encountering a strange problem with SSL and CRLs.



Our websites are configured for SSL client authentication with CRLs in a directory pointed to by SSLCACertificateRevocationPath and SSLCARevocationCheck set to "chain".  We then place our CRLs in the directory and create the hashes for them using an app or script that we wrote.  I think that this essentially does something like:

ln -s ca.crl `openssl crl -hash -noout -in ca.crl`.r0

However, when we did a test upgrade one of our production instances the requests are failing and, in the error logs, we are seeing the following messages:


[ssl.debug] [pid 4866] ssl_engine_kernel.c: [client 10.10.10.10-xxxx] Certificate Verification, depth 1, CRL checking mode: chain [subject: CN=CA4,OU=branch,.... / issuer: CN=Root 3,OU=branch,... / serial: 86 / notbefore: Aug 1 00:00:00 2013 GMT / notafter: Aug 1 00:00:00 2021 GMT] 

[ssl.info] [pid 4866] [client 10.10.10.10-xxxx] Certificate Verification: Error (12): CRL has expired [subject: CN=CA4,OU=branch,... / issuer: CN=Root 3,... / serial: 86 / notbefore: Aug 1 00:00:00 2013 GMT / notafter: Aug 1 00:00:00 2021 GMT] 



We checked all of the CRL files and they all appear to be within their validity periods, so we are really puzzled as to what is causing this problem.

Also, I should mention a couple of additional pieces of info:

- After the Apache upgrade, we explicitly re-generated the CRL hashes using openssl 1.0.1x.
- We did another set of tests, where instead of using the Apache SSLCARevocationPath directive and the CRLs and hashes in the directoryl, we glommed all of the CRLs together into a big PEM file and used SSLCARevocationFile directory, and when we did that that, we did not get the "Error 12"/Expired errors.  




The thing is that we have not been able to replicate this problem in our test environment, when we try to re-create a similar PKI heirarchy, so we (or I) suspect that there may be something going on with either the CRLs or cert files themselves that we are getting from the CAs (but recall that these same CRLs worked with older Apache.  

So I was wondering: If there is any known situations (e.g., some combination of constraints, etc., maybe some difference in versions or something in the CRL formats) that Apache/openssl to think that the CRL was expired and cause "Error 12" to be logged, but where the problem was being cause by something other than the CRL files actually being expired?


As I said, I wasn't quite sure where to post this, but I'm hoping that someone here might have some clue about what is causing this problem.


Thanks in advance,
Jim