CRL size limit exceeded, ignoring

RouterOS General
1

Could anybody explain what this means exactly and what are the CRL requirements in terms of limit/length? RB751G, ROS 6.19
crl.gif

2

I get that alot on my CCR1009.

Maybe to large revocation lists? I use cacert.org and some self signed stuff on my Router.

3

I have the same problem with 6.22 (I use CAcert.org) :frowning:

4

Same situation with 6.24.
Guys, we need to fix it.

5

Any solution?

6

Not for now :frowning:
Support? some comment?

7

In 6.25 changelog:

*) certificates - fix SCEP RA operation and SCEP client when operating with RA;

But still the same error…
Guys, please, fix this!

8

In 6.26 still same…

9

In 6.27 still same … :frowning: On RB2011UAS-2HnD

10

CCR1036-12G-4S… still happening with 6.27.

11

Add to this older/existing thread. I’ve purchased an SSL certificate from PositiveSSL/Comodo and installed in on my RB750Gv1 and v2 (hEX) routers. The certificate package includes 4 files. Every hour I get the same error log message: CRL size limit exceeded, ignoring. I’ve used both v6.19 and v6.32.4 firmwares. Note that the log error message does not indicate which of the four certs is causing the error. Can I get an explanation and hopefully a fix from Mikrotik please?

12

Adding more info:

[admin@MikroTik] /certificate> print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted 
 #          NAME                   COMMON-NAME                SUBJECT-ALT-NAME                                             FINGERPRINT               
 0 K L    T cert_1                 hotspot.addmydevice.com    DNS:www.hotspot.addmydevice.com                              f1ecc5085973f13df2b4cfc...
 1   L A  T ca_2                   COMODO RSA Domain Valid...                                                              02ab57e4e67a0cb48dd2ff3...
 2   L A  T ca_3                   COMODO RSA Certificatio...                                                              4f32d5dc00f715250abcc48...
 3     A  T ca_4                   AddTrust External CA Root                                                               687fa451382278fff0c8b11...

I suspect it is either ca_2 or ca_3 as they are LAT certs which are CRLs, but ca_4 is not classified as a CRL.

Question to the forum/Mikrotik - exactly what happens when you get this Log error of CRL ignored? Does it not apply/use it or is it more of a warning but still is used? Thanks.

13

It means that router doe snot have enough RAM to download CRL file at a time. If CRL is not downloaded certificates cannot be verified.

14

mrz - thanks for the response. I’m no SSL expert, so pardon my noob questions. I thought all the SSL info was installed with the cert package - the actual certificate and the 3 intermediary/whatever certs I listed above, and they all Imported correctly. Or does the Mikrotik need to communicate with the CA and actually download additional CRL files?? If it is downloading CRL, does it store it to RAM or HDD/Flash memory?

15

Remote peer’s certificate is sent to the router and that certificate is compared to imported CA if it belongs to the chain. If CA has CRL then additionally is checked whether certificate is valid (not revoked).

Initially CRL is downloaded and all its structure is loaded to RAM, because of that structures abut 10 times more ram is needed than actual CRL file size. After that CRL is stored on HDD/flash.

16

Thanks mrz - that is consistent with what I observe on my memory consumption - my HDD space decreases by about 2MB when I Import the certs. Do you know how low on HDD Flash memory I can go before the RB750Gr2 will start to see performance degradation?