CRL list with size more than 4MB

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CRL list with size more than 4MB

Hristiyan Kirov

Hello,

 

We have a system in which the access control is done via SSL certificates. The end-users provide their personal certificate and we let them in. We have Oracle Linux 6.8 with apache 2.4 and openssl 1.0.1e. We have problem with one of the issuers of certificates (CA) in our country. Their CRL files are larger than 4MB. When a client with certificate issued from them try to login the following error is generated:

 

[Wed Apr 12 18:48:37.694046 2017] [ssl:info] [pid 9123] [client xxxxxxxxxxx:51018] AH02276: Certificate Verification: Error (3): unable to get certificate CRL

 

Other users with certificates from other issuers (CAs) are able to login correctly.

 

Our apache is configured with the following directives:

SSLCARevocationCheck       leaf

SSLCARevocationPath        /etc/rh/root/etc/httpd24/conf/keystore/crl/

 

and in SSLCARevocationPath we have symbolic links to the CRL file named hash-value.rN. The CRL files are downloaded everyday via crontab. All CRL files (except the ones from problematic CA) are smaller than 4MB.

We found a documentation from Oracle that their Oracle HTTP Server (based on apache) is not able to process CRL files larger than 4MB.

 

One additional comment, we have a similar legacy system but with apache 2.2 and openssl 0.9.8 and the login is successful there with CRLs larger than 4MB – but we assume that this is during the fact that in apache 2.2 if there is no CRL, the system will let you pass.

 

We can provide more information for the problem and trace files from openssl commands that checks the certificates but after weeks of troubleshooting we came up to the size of the revocation list…

So, have any of you guys managed to process correctly CRL file larger than 4MB?

Thanks

 

Regards,

Hristiyan Kirov

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users