[openssl-users] Something causing "Error 12"/Expired CRL during CRL processing
ohaya at yahoo.com
Tue Mar 8 22:33:49 UTC 2016
Hello Dr. Henson,
It's been a very long time since I've been on this list... it's great that you're still here :)!!!
We were kind of wondering about the hashes (we couldn't find how they were calculated, etc.).
Can you clarify what you mean by "multiple CRLs with the same hash"? Do you mean a situation where we have several of the CRL files (for different CAs) where the result of the "openssl hash" gives an identical number/string?
I'm not on our production site yet, so I'll ask someone who is. I'm pretty sure that they didn't check for that as they have an automated task or something that they run under a cron job to re-calculate the hashes when they are downloaded.
Re. the "time": I'm pretty sure the system time is correct, but will have them check, BUT if the time was wrong, how would it be able to work when we put the CRLs into a big PEM file instead of as individual files with the hashes? In other words, if the system time was wrong, wouldn't that also cause the CRL verify to fail when the CRLs were all in one big PEM file?
A couple of more questions:
1) Re. what I said about about HOW the hashes are calculated: The docs say "based on the Issuer name". Is that mean literally, i.e., the hash is only a hash of the Issuer name inside the CRL and the other contents of the CRL, like signatures, etc. don't affect the value of the hash that openssl calculates??
In other words, assuming that the Issuer names in the CRLs don't change, can we just download update CRL files and NOT re-calculate the hashes in the CRL directory?
2) When you said "A couple of possibilities": Would the duplicate hashes cause an "Error 12"/Expired CRL error? That seems like an incorrect error?
On Tue, 3/8/16, Dr. Stephen Henson <steve at openssl.org> wrote:
Subject: Re: [openssl-users] Something causing "Error 12"/Expired CRL during CRL processing
To: "o haya" <ohaya at yahoo.com>, openssl-users at openssl.org
Date: Tuesday, March 8, 2016, 2:46 PM
On Tue, Mar 08, 2016, o
websites are configured for SSL client authentication with
CRLs in a directory pointed to by
SSLCACertificateRevocationPath and SSLCARevocationCheck set
to "chain". We then place our CRLs in the
directory and create the hashes for them using an app or
script that we wrote. I think that this essentially does
ln -s ca.crl `openssl crl -hash -noout -in ca.crl`.r0
> However, when we did
a test upgrade one of our production instances the requests
are failing and, in the error logs, we are seeing the
of possibilities. One is that the time isn't properly
set on the
machine which has this problem.
Another is that there may be multiple CRLs
with the same hash: have you checked for that?
If there are you need to use
the form .r1,
Dr Stephen N. Henson.
OpenSSL project core developer.
tech support now available see: http://www.openssl.org
More information about the openssl-users