openssl: Verifiy failed with error 3 at 0 depth lookup: unable to get certificate CRL

Hi,

openssl can verify certificates against the root CA/intermediate CA chain and also can check a crl list if a certificate is revoked.

The URL of the certificate revoke list can usually found in der certificate itself. For example a certifcate signed by QuoVadis Global SSL ICA G3.

Try to verify the certificate with also checking the crl use:

michael@debdev ~ # openssl verify -crl_check -crl_download my__certificate_signed-by_quoVadisglobalsslicag3.pem
C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G3
error 3 at 0 depth lookup: unable to get certificate CRL
error my__certificate_signed-by_quoVadisglobalsslicag3.pem: verification failed

The CRL check fails. The reason is the size of the crl list. The file size is hard coded set to 100kB.

michael@debdev ~ # wget http://crl.quovadisglobal.com/qvsslg3.crl -O qvsslg3.crl
michael@debdev ~ # ls -l qvsslg3.crl
-rw-r--r-- 1 michael:michael 106707 Oct 27 22:25 qvsslg3.crl

This is fixed in versions >= 3.0. Verify:

michael@debdev ~ # apt install build-essential
michael@debdev ~ # git clone https://github.com/openssl/openssl openssl
michael@debdev ~ # cd openssl
michael@debdev ~/openssl ~ # git checkout remotes/origin/openssl-3.1
michael@debdev ~/openssl ~ # ./Configure
michael@debdev ~/openssl ~ # ./make

Check with openssl 3.1. First add build directory to library path

michael@debdev ~/openssl ~ # export LD_LIBRARY_PATH=$(pwd):$LD_LIBRARY_PATH
michael@debdev:~ # cd
michael@debdev ~ # ./openssl/apps/openssl version
OpenSSL 3.1.0-dev under development (Library: OpenSSL 3.1.0-dev under development)

And check the certifcate with the openssl version again

michael@debdev:~ # ./openssl/apps/openssl verify -CApath /etc/ssl/certs -crl_check -crl_download my__certificate_signed-by_quoVadisglobalsslicag3.pem
my__certificate_signed-by_quoVadisglobalsslicag3.pem: OK

With a older version-
Definition of the file size is in file crypto/ocsp/ocsp_ht.c

michael@debdev ~ # rm -r openssl
michael@debdev ~ # git clone https://github.com/openssl/openssl openssl
michael@debdev ~ # cd openssl
michael@debdev ~/openssl # git checkout remotes/origin/OpenSSL_1_1_1-stable
michael@debdev ~/openssl # grep OCSP_MAX_RESP_LENGTH crypto/ocsp/ocsp_ht.c
#define OCSP_MAX_RESP_LENGTH    (100 * 1024)

Edit crypto/ocsp/ocsp_ht.c and set it to

#define OCSP_MAX_RESP_LENGTH    (100 * 2048)

build again

michael@debdev ~/openssl ~ # make clean
michael@debdev ~/openssl ~ # ./Configure linux-x86_64
michael@debdev ~/openssl ~ # make

And check

michael@debdev ~/openssl ~ # export LD_LIBRARY_PATH=$(pwd):$LD_LIBRARY_PATH
michael@debdev:~ # cd
michael@debdev ~ # ./openssl/apps/openssl version
OpenSSL 1.1.1s-dev  xx XXX xxxx
michael@debdev:~ # ./openssl/apps/openssl verify -CApath /etc/ssl/certs -crl_check -crl_download my__certificate_signed-by_quoVadisglobalsslicag3.pem
my__certificate_signed-by_quoVadisglobalsslicag3.pem: OK

Michael

Leave a Reply Cancel reply