CRL size limit exceeded, ignoring

ohara · Thu Aug 28, 2014 8:08 pm

Could anybody explain what this means exactly and what are the CRL requirements in terms of limit/length? RB751G, ROS 6.19

Shiro · Fri Aug 29, 2014 7:09 pm

I get that alot on my CCR1009.

Maybe to large revocation lists? I use cacert.org and some self signed stuff on my Router.

Jeanluck · Mon Dec 15, 2014 6:34 pm

I have the same problem with 6.22 (I use CAcert.org)

chemp86 · Thu Jan 01, 2015 10:27 am

I have the same problem with 6.22 (I use CAcert.org)

Same situation with 6.24.
Guys, we need to fix it.

macak91 · Sun Jan 18, 2015 7:12 pm

Any solution?

Jeanluck · Mon Jan 19, 2015 11:19 am

Not for now

Support? some comment?

chemp86 · Wed Jan 21, 2015 7:27 am

In 6.25 changelog:

*) certificates - fix SCEP RA operation and SCEP client when operating with RA;

But still the same error...
Guys, please, fix this!

chemp86 · Fri Feb 06, 2015 6:23 am

In 6.26 still same...

Nunak · Thu Feb 12, 2015 10:16 am

In 6.27 still same ...

On RB2011UAS-2HnD

ScottReed · Thu Mar 26, 2015 2:26 pm

CCR1036-12G-4S... still happening with 6.27.

daggerCVN · Thu Mar 31, 2016 3:43 pm

Add to this older/existing thread. I've purchased an SSL certificate from PositiveSSL/Comodo and installed in on my RB750Gv1 and v2 (hEX) routers. The certificate package includes 4 files. Every hour I get the same error log message: CRL size limit exceeded, ignoring. I've used both v6.19 and v6.32.4 firmwares. Note that the log error message does not indicate which of the four certs is causing the error. Can I get an explanation and hopefully a fix from Mikrotik please?

daggerCVN · Thu Mar 31, 2016 4:22 pm

Adding more info:

[admin@MikroTik] /certificate> print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted 
 #          NAME                   COMMON-NAME                SUBJECT-ALT-NAME                                             FINGERPRINT               
 0 K L    T cert_1                 hotspot.addmydevice.com    DNS:www.hotspot.addmydevice.com                              f1ecc5085973f13df2b4cfc...
 1   L A  T ca_2                   COMODO RSA Domain Valid...                                                              02ab57e4e67a0cb48dd2ff3...
 2   L A  T ca_3                   COMODO RSA Certificatio...                                                              4f32d5dc00f715250abcc48...
 3     A  T ca_4                   AddTrust External CA Root                                                               687fa451382278fff0c8b11...

I suspect it is either ca_2 or ca_3 as they are LAT certs which are CRLs, but ca_4 is not classified as a CRL.

Question to the forum/Mikrotik - exactly what happens when you get this Log error of CRL ignored? Does it not apply/use it or is it more of a warning but still is used? Thanks.

Thu Mar 31, 2016 6:25 pm

It means that router doe snot have enough RAM to download CRL file at a time. If CRL is not downloaded certificates cannot be verified.

daggerCVN · Thu Mar 31, 2016 11:32 pm

mrz - thanks for the response. I'm no SSL expert, so pardon my noob questions. I thought all the SSL info was installed with the cert package - the actual certificate and the 3 intermediary/whatever certs I listed above, and they all Imported correctly. Or does the Mikrotik need to communicate with the CA and actually download additional CRL files?? If it is downloading CRL, does it store it to RAM or HDD/Flash memory?

Fri Apr 01, 2016 12:53 pm

Remote peer's certificate is sent to the router and that certificate is compared to imported CA if it belongs to the chain. If CA has CRL then additionally is checked whether certificate is valid (not revoked).

Initially CRL is downloaded and all its structure is loaded to RAM, because of that structures abut 10 times more ram is needed than actual CRL file size. After that CRL is stored on HDD/flash.

daggerCVN · Fri Apr 01, 2016 5:04 pm

Thanks mrz - that is consistent with what I observe on my memory consumption - my HDD space decreases by about 2MB when I Import the certs. Do you know how low on HDD Flash memory I can go before the RB750Gr2 will start to see performance degradation?

CRL size limit exceeded, ignoring

CRL size limit exceeded, ignoring

Re: AW: CRL size limit exceeded, ignoring

Re: CRL size limit exceeded, ignoring

Re: CRL size limit exceeded, ignoring

Re: CRL size limit exceeded, ignoring

Re: CRL size limit exceeded, ignoring

Re: CRL size limit exceeded, ignoring

Re: CRL size limit exceeded, ignoring

Re: CRL size limit exceeded, ignoring

Re: CRL size limit exceeded, ignoring

Re: CRL size limit exceeded, ignoring

Re: CRL size limit exceeded, ignoring

Re: CRL size limit exceeded, ignoring

Re: CRL size limit exceeded, ignoring

Re: CRL size limit exceeded, ignoring

Re: CRL size limit exceeded, ignoring

Who is online