Re: [openssl-dev] openssl 1.0.2h: Parsing really large CRLs fails, side effect of change in x_name.c?
In message <5729fe86.1080...@dfn-cert.de> on Wed, 4 May 2016 15:52:06 +0200, Jürgen Brauckmannsaid: brauckmann> [double-post; sent this previously to r...@openssl.org, and didn't get a brauckmann> ticket reply or something. As I feel that potentially a large number brauckmann> of people is affected, e.g. via Apache crl parsing etc., re-sent to brauckmann> openssl-dev.] r...@openssl.org is moderated. A little now and then, someone in the team goes and checks for messages on hold (that is, everything that comes in), lets messages such as yours through and tosses the load of crap that came as well (you can't imagine the load of SPAM getting to that address). So, ticket replies aren't immediate. Cheers, Richard -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] openssl 1.0.2h: Parsing really large CRLs fails, side effect of change in x_name.c?
[double-post; sent this previously to r...@openssl.org, and didn't get a ticket reply or something. As I feel that potentially a large number of people is affected, e.g. via Apache crl parsing etc., re-sent to openssl-dev.] Hi. Openssl 1.0.2h cannot parse really large CRLs anymore. "Really large" means > some 1MB. It seems as if the new check in line 202 in x_name.c, commited 5 days ago, has a side effect beyond name decoding: https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/crypto/asn1/x_name.c#L202 # openssl crl -in large_crl.pem unable to load CRL 3078178440:error:0D09E09B:asn1 encoding routines:X509_NAME_EX_D2I:too long:x_name.c:203: 3078178440:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=issuer, Type=X509_CRL_INFO 3078178440:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=crl, Type=X509_CRL 3078178440:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83: [root@strangepork ~]# /services/inst/openssl/openssl-1.0.2g/bin/openssl crl -out c -in cacrl.pem [root@strangepork ~]# /services/inst/openssl/openssl-1.0.2h/bin/openssl crl -out c -in cacrl.pem unable to load CRL All name structures in "large_crl.pem" have normal sizes, but the crl contains a large number of revoked certificates: # openssl-102g crl -in large_crl.pem -noout -issuer issuer=/C=DE/O=client-1/CN=Testinstanz client-1 # openssl-102g crl -in large_crl.pem -noout | grep "Revocation Date:" | wc -l 49813 Best regards, Jürgen -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev