openssl: Verifiy failed with error 3 at 0 depth lookup: unable to get certificate CRL

October 26, 2022 Michael Albert Leave a comment

openssl can verify certificates against the root CA/intermediate CA chain and also can check a crl list if a certificate is revoked.
The URL of the certificate revoke list can usually found in der certificate itself. For example a certifcate signed by QuoVadis Global SSL ICA G3 .

Try to verify the certificate with also checking the crl use:

michael@debdev ~ # openssl verify -crl_check -crl_download my__certificate_signed-by_quoVadisglobalsslicag3.pem C = BM, O = QuoVadis Limited, CN = QuoVadis Global SSL ICA G3 error 3 at 0 depth lookup: unable to get certificate CRL error my__certificate_signed-by_quoVadisglobalsslicag3.pem: verification failed

The CRL check fails. The reason is the size of the crl list. The file size is hard coded set to 100kB .

michael@debdev ~ # wget http://crl.quovadisglobal.com/qvsslg3.crl -O qvsslg3.crl michael@debdev ~ # ls -l qvsslg3.crl -rw-r--r-- 1 michael:michael 106707 Oct 27 22:25 qvsslg3.crl

This is fixed in versions >= 3.0. Verify:

michael@debdev ~ # apt install build-essential michael@debdev ~ # git clone https://github.com/openssl/openssl openssl michael@debdev ~ # cd openssl michael@debdev ~/openssl ~ # git checkout remotes/origin/openssl-3.1 michael@debdev ~/openssl ~ # ./Configure michael@debdev ~/openssl ~ # ./make

Check with openssl 3.1. First add build directory to library path

michael@debdev ~/openssl ~ # export LD_LIBRARY_PATH=$(pwd):$LD_LIBRARY_PATH michael@debdev:~ # cd michael@debdev ~ # ./openssl/apps/openssl version OpenSSL 3.1.0-dev under development (Library: OpenSSL 3.1.0-dev under development)

And check the certifcate with the openssl version again

michael@debdev:~ # ./openssl/apps/openssl verify -CApath /etc/ssl/certs -crl_check -crl_download my__certificate_signed-by_quoVadisglobalsslicag3.pem my__certificate_signed-by_quoVadisglobalsslicag3.pem: OK

With a older version-
Definition of the file size is in file crypto/ocsp/ocsp_ht.c

michael@debdev ~ # rm -r openssl michael@debdev ~ # git clone https://github.com/openssl/openssl openssl michael@debdev ~ # cd openssl michael@debdev ~/openssl # git checkout remotes/origin/OpenSSL_1_1_1-stable michael@debdev ~/openssl # grep OCSP_MAX_RESP_LENGTH crypto/ocsp/ocsp_ht.c #define OCSP_MAX_RESP_LENGTH (100 * 1024)

Edit crypto/ocsp/ocsp_ht.c and set it to

#define OCSP_MAX_RESP_LENGTH (100 * 2048)

build again

michael@debdev ~/openssl ~ # make clean michael@debdev ~/openssl ~ # ./Configure linux-x86_64 michael@debdev ~/openssl ~ # make

And check

michael@debdev ~/openssl ~ # export LD_LIBRARY_PATH=$(pwd):$LD_LIBRARY_PATH michael@debdev:~ # cd michael@debdev ~ # ./openssl/apps/openssl version OpenSSL 1.1.1s-dev xx XXX xxxx michael@debdev:~ # ./openssl/apps/openssl verify -CApath /etc/ssl/certs -crl_check -crl_download my__certificate_signed-by_quoVadisglobalsslicag3.pem my__certificate_signed-by_quoVadisglobalsslicag3.pem: OK

Michael

Advertisment to support michlstechblog.info

Leave a Reply Cancel reply

Your email address will not be published.

Comment </p><p class="comment-form-author"><label for="author">Name <span class="required" aria-hidden="true">*</span></label> <input id="author" name="author" type="text" value="" size="30" maxlength="245" required=""/></p> <p class="comment-form-email"><label for="email">Email <span class="required" aria-hidden="true">*</span></label> <input id="email" name="email" type="email" value="" size="30" maxlength="100" aria-describedby="email-notes" required=""/></p> <span id="cptch_time_limit_notice_81" class="cptch_time_limit_notice cptch_to_remove">Time limit is exhausted. Please reload CAPTCHA.</span><span class="cptch_wrap cptch_math_actions"> </p></div><aside id="recent-comments-2" class="widget widget_recent_comments"><h1 class="widget-title">Recent Comments</h1><nav aria-label="Recent Comments"><ul id="recentcomments"><li class="recentcomments"><span class="comment-author-link">Sachin</span> on <a href="https://michlstechblog.info/blog/linux-set-a-static-fixed-ip-with-network-manager-cli/#comment-6205">Linux: Set a static/fixed IP with Network Manager Cli</a></li><li class="recentcomments"><span class="comment-author-link">Eric Gillette</span> on <a href="https://michlstechblog.info/blog/java-error-failed-to-validate-certificate-the-application-will-not-be-executed/#comment-6080">Java Error: Failed to validate certificate. The application will not be executed</a></li><li class="recentcomments"><span class="comment-author-link">Don</span> on <a href="https://michlstechblog.info/blog/apache-403-issue-on-alias-directive-and-a-virtual-directory/#comment-6029">Apache: Alias directive for virtual directory returns HTTP Error 403</a></li></ul></nav></aside><aside id="paypal_donations-2" class="widget widget_paypal_donations"><h1 class="widget-title">Donate</h1><p>Consider to make a small donation if the information on this site are useful :-)</p> </aside><aside id="rss-2" class="widget widget_rss"><h1 class="widget-title"><a class="rsswidget rss-widget-feed" href="http://michlstechblog.info/blog/feed"><img class="rss-widget-icon" style="border:0" width="14" height="14" src="https://michlstechblog.info/blog/wp-includes/images/rss.png" alt="RSS" loading="lazy"/></a> <a class="rsswidget rss-widget-title" href="https://michlstechblog.info/blog">Follow michlstechblog</a></h1><nav aria-label="Follow michlstechblog"><ul><li><a class="rsswidget" href="https://michlstechblog.info/blog/windows-prevent-windows-from-installing-a-specific-devicedriver/">Windows: Prevent windows from installing a specific device(driver)</a></li><li><a class="rsswidget" href="https://michlstechblog.info/blog/windows-enable-policy-to-prevent-connections-to-multiple-networks/">Windows: Enable policy to prevent connections to multiple networks</a></li><li><a class="rsswidget" href="https://michlstechblog.info/blog/windows-working-with-filter-drivers/">Windows: Working with Filter drivers</a></li><li><a class="rsswidget" href="https://michlstechblog.info/blog/windows-inject-procmon-in-an-existing-windows-installation-by-windows-pe/">Windows: Inject Process Monitor in an existing Windows installation by Windows PE</a></li><li><a class="rsswidget" href="https://michlstechblog.info/blog/wsus-windows-update-server-does-not-deliver-newer-updates-error-code-0x80070003/">WSUS: Windows Update Server does not deliver newer updates. Error code: 0x80070003</a></li></ul></nav></aside><aside id="simple-links-2" class="widget sl-links-main"><h1 class="widget-title">Links</h1></aside> </div> <div id="cookie-law-info-bar" data-nosnippet="true"><span>This website uses cookies to improve your experience and to serv personalized advertising by google adsense. By using this website, you consent to the use of cookies for personalized content and advertising. For more information about cookies, please see our Privacy Policy, but you can opt-out if you wish. <a role="button" data-cli_action="accept" id="cookie_action_close_header" class="medium cli-plugin-button cli-plugin-main-button cookie_action_close_header cli_action_button wt-cli-accept-btn">Accept</a> <a role="button" id="cookie_action_close_header_reject" class="medium cli-plugin-button cli-plugin-main-button cookie_action_close_header_reject cli_action_button wt-cli-reject-btn" data-cli_action="reject">Reject</a> <a href="https://michlstechblog.info/blog/privacy-policy/" id="CONSTANT_OPEN_URL" target="_blank" class="cli-plugin-main-link">Read More</a></span></div><div id="cookie-law-info-again" data-nosnippet="true"><span id="cookie_hdr_showagain">Privacy & Cookies Policy</span></div><div class="cli-modal" data-nosnippet="true" id="cliSettingsPopup" tabindex="-1" role="dialog" aria-labelledby="cliSettingsPopup" aria-hidden="true"> <h4>Privacy Overview</h4> <div class="cli-privacy-content"> <div class="cli-privacy-content-text">This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.</div> Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website. </div>