Below you have a paste of the previous comment and at the end one more observation:

Ok, actually things are more twisted than that. The error above is thrown when the following CRL is the first in the bundle:

openssl crl -in /etc/grid-security/certificates/8dd53007.r0 -text 
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /DC=com/DC=DigiCert-Grid/O=DigiCert Grid/CN=DigiCert Grid CA-1 G2
        Last Update: Jul 26 20:32:27 2023 GMT
        Next Update: Aug 25 20:32:27 2023 GMT
        CRL extensions:
            X509v3 Authority Key Identifier: 
                keyid:36:59:CC:DF:3C:3A:E2:49:93:4F:25:12:42:B6:CF:E9:19:1F:32:B4

            X509v3 CRL Number: 
                3031
            X509v3 Issuing Distrubution Point: critical
                Full Name:
                  URI:http://crl3.digicert.com/DigiCertGridCA-1-G2.crl
                  URI:http://crl4.digicert.com/DigiCertGridCA-1-G2.crl

No Revoked Certificates.
    Signature Algorithm: sha256WithRSAEncryption
         4a:81:65:46:dc:72:17:ec:c5:3f:8a:1d:1c:af:e0:37:e0:f6:
         27:ae:5f:f2:9d:01:9e:e5:a4:69:42:46:98:17:15:88:6c:90:
         34:ba:36:5d:5a:1e:41:98:7a:01:42:2f:f8:63:72:b8:4b:6b:
         5c:44:8c:e3:1d:30:5b:8d:ee:b9:6c:98:70:e8:57:dd:57:7c:
         f6:6f:f1:c6:5f:be:c8:69:9e:61:98:1b:a0:ed:c0:ab:f5:7c:
         8d:ea:75:45:b4:a5:1c:87:38:c2:59:b6:6d:4d:06:1c:8c:26:
         4f:28:71:f9:3a:af:1d:cf:8c:59:2c:32:e7:71:e0:bd:ee:3a:
         e5:34:d0:7e:d6:fb:ec:db:55:2c:8b:da:c9:f8:7d:d2:95:87:
         a7:3a:22:50:9c:df:39:08:21:87:32:0c:e3:4e:2b:07:79:db:
         d8:bf:18:97:3a:c4:8f:94:76:df:b5:bd:7b:cb:e9:48:66:2d:
         2c:1f:06:40:45:c3:b3:e2:b3:b7:7b:88:38:75:d4:ba:5a:5b:
         b5:ee:44:35:4f:11:b9:db:f7:db:57:89:af:a0:88:0c:75:a1:
         25:6f:eb:29:b3:ae:24:60:68:3b:15:6d:4d:eb:a7:71:2b:b3:
         a5:22:8f:eb:f6:45:15:1b:22:a6:6f:c5:1e:5f:57:92:70:eb:
         a4:ec:c5:e1

In case it's not the first entry in the CRL bundle then things work fine - even if the full size of the file is bigger than 100kB.
Most likely the CRL extensions are playing a role here ...

The only sequence that does not work is when this CRL is the first one in the bundle CRLfile created by the XrdTlsTempCA class.


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <xrootd/xrootd/issues/2065/1663496107@github.com>

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/2065#issuecomment-1663496107", "url": "https://github.com/xrootd/xrootd/issues/2065#issuecomment-1663496107", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1