httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hristiyan Kirov <>
Subject [users@httpd] CRL list with size more than 4MB
Date Wed, 03 May 2017 08:57:58 GMT

We have a system in which the access control is done via SSL certificates. The end-users provide
their personal certificate and we let them in. We have Oracle Linux 6.8 with apache 2.4 and
openssl 1.0.1e. We have problem with one of the issuers of certificates (CA) in our country.
Their CRL files are larger than 4MB. When a client with certificate issued from them try to
login the following error is generated:

[Wed Apr 12 18:48:37.694046 2017] [ssl:info] [pid 9123] [client xxxxxxxxxxx:51018] AH02276:
Certificate Verification: Error (3): unable to get certificate CRL

Other users with certificates from other issuers (CAs) are able to login correctly.

Our apache is configured with the following directives:
SSLCARevocationCheck       leaf
SSLCARevocationPath        /etc/rh/root/etc/httpd24/conf/keystore/crl/

and in SSLCARevocationPath we have symbolic links to the CRL file named hash-value.rN. The
CRL files are downloaded everyday via crontab. All CRL files (except the ones from problematic
CA) are smaller than 4MB.
We found a documentation from Oracle that their Oracle HTTP Server (based on apache) is not
able to process CRL files larger than 4MB.

One additional comment, we have a similar legacy system but with apache 2.2 and openssl 0.9.8
and the login is successful there with CRLs larger than 4MB - but we assume that this is during
the fact that in apache 2.2 if there is no CRL, the system will let you pass.

We can provide more information for the problem and trace files from openssl commands that
checks the certificates but after weeks of troubleshooting we came up to the size of the revocation
So, have any of you guys managed to process correctly CRL file larger than 4MB?

Hristiyan Kirov

View raw message