Below you have a paste of the previous comment and at the end one more observation:
Ok, actually things are more twisted than that. The error above is thrown when the following CRL is the first in the bundle:
openssl crl -in /etc/grid-security/certificates/8dd53007.r0 -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /DC=com/DC=DigiCert-Grid/O=DigiCert Grid/CN=DigiCert Grid CA-1 G2
Last Update: Jul 26 20:32:27 2023 GMT
Next Update: Aug 25 20:32:27 2023 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:36:59:CC:DF:3C:3A:E2:49:93:4F:25:12:42:B6:CF:E9:19:1F:32:B4
X509v3 CRL Number:
3031
X509v3 Issuing Distrubution Point: critical
Full Name:
URI:http://crl3.digicert.com/DigiCertGridCA-1-G2.crl
URI:http://crl4.digicert.com/DigiCertGridCA-1-G2.crl
No Revoked Certificates.
Signature Algorithm: sha256WithRSAEncryption
4a:81:65:46:dc:72:17:ec:c5:3f:8a:1d:1c:af:e0:37:e0:f6:
27:ae:5f:f2:9d:01:9e:e5:a4:69:42:46:98:17:15:88:6c:90:
34:ba:36:5d:5a:1e:41:98:7a:01:42:2f:f8:63:72:b8:4b:6b:
5c:44:8c:e3:1d:30:5b:8d:ee:b9:6c:98:70:e8:57:dd:57:7c:
f6:6f:f1:c6:5f:be:c8:69:9e:61:98:1b:a0:ed:c0:ab:f5:7c:
8d:ea:75:45:b4:a5:1c:87:38:c2:59:b6:6d:4d:06:1c:8c:26:
4f:28:71:f9:3a:af:1d:cf:8c:59:2c:32:e7:71:e0:bd:ee:3a:
e5:34:d0:7e:d6:fb:ec:db:55:2c:8b:da:c9:f8:7d:d2:95:87:
a7:3a:22:50:9c:df:39:08:21:87:32:0c:e3:4e:2b:07:79:db:
d8:bf:18:97:3a:c4:8f:94:76:df:b5:bd:7b:cb:e9:48:66:2d:
2c:1f:06:40:45:c3:b3:e2:b3:b7:7b:88:38:75:d4:ba:5a:5b:
b5:ee:44:35:4f:11:b9:db:f7:db:57:89:af:a0:88:0c:75:a1:
25:6f:eb:29:b3:ae:24:60:68:3b:15:6d:4d:eb:a7:71:2b:b3:
a5:22:8f:eb:f6:45:15:1b:22:a6:6f:c5:1e:5f:57:92:70:eb:
a4:ec:c5:e1
In case it's not the first entry in the CRL bundle then things work fine - even if the full size of the file is bigger than 100kB.
Most likely the CRL extensions are playing a role here ...
The only sequence that does not work is when this CRL is the first one in the bundle CRLfile created by the XrdTlsTempCA class.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1