LISTSERV 16.5 - XROOTD-DEV Archives

Below you have a paste of the previous comment and at the end one more observation:

Ok, actually things are more twisted than that. The error above is thrown when the following CRL is the first in the bundle:

```
openssl crl -in /etc/grid-security/certificates/8dd53007.r0 -text 
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /DC=com/DC=DigiCert-Grid/O=DigiCert Grid/CN=DigiCert Grid CA-1 G2
        Last Update: Jul 26 20:32:27 2023 GMT
        Next Update: Aug 25 20:32:27 2023 GMT
        CRL extensions:
            X509v3 Authority Key Identifier: 
                keyid:36:59:CC:DF:3C:3A:E2:49:93:4F:25:12:42:B6:CF:E9:19:1F:32:B4

            X509v3 CRL Number: 
                3031
            X509v3 Issuing Distrubution Point: critical
                Full Name:
                  URI:http://crl3.digicert.com/DigiCertGridCA-1-G2.crl
                  URI:http://crl4.digicert.com/DigiCertGridCA-1-G2.crl

No Revoked Certificates.
    Signature Algorithm: sha256WithRSAEncryption
         4a:81:65:46:dc:72:17:ec:c5:3f:8a:1d:1c:af:e0:37:e0:f6:
         27:ae:5f:f2:9d:01:9e:e5:a4:69:42:46:98:17:15:88:6c:90:
         34:ba:36:5d:5a:1e:41:98:7a:01:42:2f:f8:63:72:b8:4b:6b:
         5c:44:8c:e3:1d:30:5b:8d:ee:b9:6c:98:70:e8:57:dd:57:7c:
         f6:6f:f1:c6:5f:be:c8:69:9e:61:98:1b:a0:ed:c0:ab:f5:7c:
         8d:ea:75:45:b4:a5:1c:87:38:c2:59:b6:6d:4d:06:1c:8c:26:
         4f:28:71:f9:3a:af:1d:cf:8c:59:2c:32:e7:71:e0:bd:ee:3a:
         e5:34:d0:7e:d6:fb:ec:db:55:2c:8b:da:c9:f8:7d:d2:95:87:
         a7:3a:22:50:9c:df:39:08:21:87:32:0c:e3:4e:2b:07:79:db:
         d8:bf:18:97:3a:c4:8f:94:76:df:b5:bd:7b:cb:e9:48:66:2d:
         2c:1f:06:40:45:c3:b3:e2:b3:b7:7b:88:38:75:d4:ba:5a:5b:
         b5:ee:44:35:4f:11:b9:db:f7:db:57:89:af:a0:88:0c:75:a1:
         25:6f:eb:29:b3:ae:24:60:68:3b:15:6d:4d:eb:a7:71:2b:b3:
         a5:22:8f:eb:f6:45:15:1b:22:a6:6f:c5:1e:5f:57:92:70:eb:
         a4:ec:c5:e1
```

In case it's not the first entry in the CRL bundle then things work fine - even if the full size of the file is bigger than 100kB.
Most likely the CRL extensions are playing a role here ...

The only sequence that does not work is when this CRL is the first one in the bundle CRLfile created by the XrdTlsTempCA class.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/issues/2065#issuecomment-1663496107
You are receiving this because you are subscribed to this thread.

Message ID: <[log in to unmask]>

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1