That?s a bug in the Issuer name length check. Use the 1.1.0 version. Cordialement, Erwann Abalea > Le 14 sept. 2016 ? 14:31, Wouter Verhelst <wouter.verhelst at fedict.be> a ?crit : > > Hi, > > (this is a resend because my MUA crashed while I tried to send this mail earlier. If you get it twice, my apologies) > > When I try to parse some of the CRLs at <http://crl.eid.belgium.be/>, I sometimes get this error: > > wouter at gangtai:~$ openssl version > OpenSSL 1.0.2h 3 May 2016 > wouter at gangtai:~$ openssl crl -in eidc201203.crl -inform der -noout -text > unable to load CRL > 140694432685592:error:0D09E09B:asn1 encoding routines:X509_NAME_EX_D2I:too long:x_name.c:203: > 140694432685592:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=issuer, Type=X509_CRL_INFO > 140694432685592:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=crl, Type=X509_CRL > > This isn't the case for all of the CRLs, just for some of them; e.g., everything works fine for eidc201503.crl > > However, if I try the same on another machine nearby, which has a much older version of OpenSSL, then things seem to work fine: > > eidmac:~ buildslave$ openssl version > OpenSSL 0.9.8zh 14 Jan 2016 > eidmac:~ buildslave$ openssl crl -in eidc201203.crl -inform der -noout -text | head > Certificate Revocation List (CRL): > Version 2 (0x1) > Signature Algorithm: sha1WithRSAEncryption > Issuer: /C=BE/CN=Citizen CA/serialNumber=201203 > Last Update: Sep 14 10:22:50 2016 GMT > Next Update: Sep 21 10:22:50 2016 GMT > CRL extensions: > X509v3 Authority Key Identifier: > keyid:7A:5F:3A:FF:2D:46:91:90:53:3F:BB:91:2D:29:82:ED:BB:78:6A:E0 > > This machine is a mac running OSX 10.11, the OpenSSL is the default as shipped with that OS; the other is my personal laptop, which runs Debian unstable (and the openssl is again the default). I've reproduced the same issue on Debian stable, haven't tried much else yet. > > I've been trying to figure out why my OpenSSL fails to parse the CRL, whereas others do not,. Any hints would be greatly appreciated. > > Thanks, > > -- > Wouter Verhelst > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >
