[openssl-users] openssl crl fails to parse a CRL file, which seems correct

Erwann Abalea Erwann.Abalea at docusign.com
Thu Sep 15 09:18:06 UTC 2016

That’s a bug in the Issuer name length check.
Use the 1.1.0 version.

Erwann Abalea

> Le 14 sept. 2016 à 14:31, Wouter Verhelst <wouter.verhelst at fedict.be> a écrit :
> Hi,
> (this is a resend because my MUA crashed while I tried to send this mail earlier. If you get it twice, my apologies)
> When I try to parse some of the CRLs at <http://crl.eid.belgium.be/>, I sometimes get this error:
> wouter at gangtai:~$ openssl version
> OpenSSL 1.0.2h  3 May 2016
> wouter at gangtai:~$ openssl crl -in eidc201203.crl -inform der -noout -text
> unable to load CRL
> 140694432685592:error:0D09E09B:asn1 encoding routines:X509_NAME_EX_D2I:too long:x_name.c:203:
> 140694432685592:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=issuer, Type=X509_CRL_INFO
> 140694432685592:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=crl, Type=X509_CRL
> This isn't the case for all of the CRLs, just for some of them; e.g., everything works fine for eidc201503.crl
> However, if I try the same on another machine nearby, which has a much older version of OpenSSL, then things seem to work fine:
> eidmac:~ buildslave$ openssl version
> OpenSSL 0.9.8zh 14 Jan 2016
> eidmac:~ buildslave$ openssl crl -in eidc201203.crl -inform der -noout -text | head
> Certificate Revocation List (CRL):
>         Version 2 (0x1)
>         Signature Algorithm: sha1WithRSAEncryption
>         Issuer: /C=BE/CN=Citizen CA/serialNumber=201203
>         Last Update: Sep 14 10:22:50 2016 GMT
>         Next Update: Sep 21 10:22:50 2016 GMT
>         CRL extensions:
>             X509v3 Authority Key Identifier:
> keyid:7A:5F:3A:FF:2D:46:91:90:53:3F:BB:91:2D:29:82:ED:BB:78:6A:E0
> This machine is a mac running OSX 10.11, the OpenSSL is the default as shipped with that OS; the other is my personal laptop, which runs Debian unstable (and the openssl is again the default). I've reproduced the same issue on Debian stable, haven't tried much else yet.
> I've been trying to figure out why my OpenSSL fails to parse the CRL, whereas others do not,. Any hints would be greatly appreciated.
> Thanks,
> -- 
> Wouter Verhelst
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list