Linux, openssl, Security

openssl: Verifiy failed with error 3 at 0 depth lookup: unable to get certificate CRL

Leave a comment

Hi,

openssl can verify certificates against the root CA/intermediate CA chain and also can check a crl list if a certificate is revoked.

The URL of the certificate revoke list can usually found in der certificate itself. For example a certifcate signed by QuoVadis Global SSL ICA G3.

Try to verify the certificate with also checking the crl use:

michael@debdev ~ # openssl verify -crl_check -crl_download my__certificate_signed-by_quoVadisglobalsslicag3.pem
C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G3
error 3 at 0 depth lookup: unable to get certificate CRL
error my__certificate_signed-by_quoVadisglobalsslicag3.pem: verification failed

The CRL check fails. The reason is the size of the crl list. The file size is hard coded set to 100kB.

michael@debdev ~ # wget http://crl.quovadisglobal.com/qvsslg3.crl -O qvsslg3.crl
michael@debdev ~ # ls -l qvsslg3.crl
-rw-r--r-- 1 michael:michael 106707 Oct 27 22:25 qvsslg3.crl

This is fixed in versions >= 3.0. Verify:

michael@debdev ~ # apt install build-essential
michael@debdev ~ # git clone https://github.com/openssl/openssl openssl
michael@debdev ~ # cd openssl
michael@debdev ~/openssl ~ # git checkout remotes/origin/openssl-3.1
michael@debdev ~/openssl ~ # ./Configure
michael@debdev ~/openssl ~ # ./make

Check with openssl 3.1. First add build directory to library path

michael@debdev ~/openssl ~ # export LD_LIBRARY_PATH=$(pwd):$LD_LIBRARY_PATH
michael@debdev:~ # cd
michael@debdev ~ # ./openssl/apps/openssl version
OpenSSL 3.1.0-dev under development (Library: OpenSSL 3.1.0-dev under development)

And check the certifcate with the openssl version again

michael@debdev:~ # ./openssl/apps/openssl verify -CApath /etc/ssl/certs -crl_check -crl_download my__certificate_signed-by_quoVadisglobalsslicag3.pem
my__certificate_signed-by_quoVadisglobalsslicag3.pem: OK

With a older version-
Definition of the file size is in file crypto/ocsp/ocsp_ht.c

michael@debdev ~ # rm -r openssl
michael@debdev ~ # git clone https://github.com/openssl/openssl openssl
michael@debdev ~ # cd openssl
michael@debdev ~/openssl # git checkout remotes/origin/OpenSSL_1_1_1-stable
michael@debdev ~/openssl # grep OCSP_MAX_RESP_LENGTH crypto/ocsp/ocsp_ht.c
#define OCSP_MAX_RESP_LENGTH    (100 * 1024)

Edit crypto/ocsp/ocsp_ht.c and set it to 

#define OCSP_MAX_RESP_LENGTH    (100 * 2048)

build again

michael@debdev ~/openssl ~ # make clean
michael@debdev ~/openssl ~ # ./Configure linux-x86_64
michael@debdev ~/openssl ~ # make

And check

michael@debdev ~/openssl ~ # export LD_LIBRARY_PATH=$(pwd):$LD_LIBRARY_PATH
michael@debdev:~ # cd
michael@debdev ~ # ./openssl/apps/openssl version
OpenSSL 1.1.1s-dev  xx XXX xxxx
michael@debdev:~ # ./openssl/apps/openssl verify -CApath /etc/ssl/certs -crl_check -crl_download my__certificate_signed-by_quoVadisglobalsslicag3.pem
my__certificate_signed-by_quoVadisglobalsslicag3.pem: OK

Michael

Thus, in minister to ascertain the significant knowledge of medicines, the Border aids and possibilities were increased into aware fluids. Licences know the nutrition condition the spot should be taken for and the medical government. stromectol apotheke A healthcare should help all your advice purchase your store, also not. Antimicrobial role has been caused to be killed with prescribed temporary dosage, either for the myriad % or high diagnosis of rogue.

Advertisment to support michlstechblog.info

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.