Hi. Openssl 1.0.2h cannot parse really large CRLs anymore. "Really large" means > some 1MB.
It seems as if the new check in line 202 in x_name.c, commited 5 days ago, has a side effect beyond name decoding: https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/crypto/asn1/x_name.c#L202 # openssl crl -in large_crl.pem unable to load CRL 3078178440:error:0D09E09B:asn1 encoding routines:X509_NAME_EX_D2I:too long:x_name.c:203: 3078178440:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=issuer, Type=X509_CRL_INFO 3078178440:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=crl, Type=X509_CRL 3078178440:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83: [root@strangepork ~]# /services/inst/openssl/openssl-1.0.2g/bin/openssl crl -out c -in cacrl.pem [root@strangepork ~]# /services/inst/openssl/openssl-1.0.2h/bin/openssl crl -out c -in cacrl.pem unable to load CRL All name structures in "large_crl.pem" have normale sizes, but it contains a large number of revoked certificates: # openssl-102g crl -in large_crl.pem -noout -issuer issuer=/C=DE/O=client-1/CN=Testinstanz client-1 # openssl-102g crl -in large_crl.pem -noout | grep "Revocation Date:" | wc -l 49813 Best regards, Jürgen -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4531 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev