I have written a FIPS-1.1.2 compliant (OpenSSL 0.9.7m) application that validates certificates that are read in from files. It also loads the CA certificates and corresponding CRLs from files. I am trying to determine any limitations with loading large CRLs (~200-250 MB) and to characterize the resulting performance. I did not have any problem using CRLs that are ~~100MB in size or smaller. However with the ~200MB CRL, I get the following error,
1418976:error:0D078064:asn1 encoding routines:ASN1_ITEM_EX_D2I:aux error:tasn_dec.c:407:Type=X509_CRL_INFO 1418976:error:0D08303A:asn1 encoding routines:ANS1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:567:Field=crl, Type=X509_CRL 1418976:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:82: This error occurs in a function similar (extraneous stuff has been removed) to the readX509CRL() function below. The OpenSSL function PEM_read_X509_CRL() returns an error int readX509Crl(const std::string& crlPath, X509_CRL **crl) { int result = 0; X509_CRL* tempCrl = 0; FILE* crlFp = 0; // Open CRL file crlFp = fopen(crlPath.c_str(), "r"); //If the certificate file opens correctly if (crlFp) { //If the PEM encoded file is read correctly if (PEM_read_X509_CRL(crlFp, &tempCrl, 0, 0)) { //Set return parameter *crl = tempCrl; result = 1; } else { result = 0; //Make sure nothing is returned *crl = 0; //If the certificate memory is allocated, free it if (tempCrl) { X509_CRL_free(tempCrl); tempCrl = 0; } } } else { result = 0; //Make sure nothing is returned *crl = 0; } //If the file was opened, close it if (crlFp) { fclose(crlFp); } return result; } The certificates and ~200MB CRL in question are all validated successfully using the OpenSSL command line openssl verify -CAfile <cafile> -crl_check <certificates> What could possibly be the problem with using large CRLs in my application? How can I go about troubleshooting this further. Thanks for any help. -Ryan Smith