Community discussions

 
User avatar
ohara
Member
Member
Topic Author
Posts: 371
Joined: Mon Jun 13, 2011 11:30 pm
Location: Warsaw

CRL size limit exceeded, ignoring

Thu Aug 28, 2014 8:08 pm

Could anybody explain what this means exactly and what are the CRL requirements in terms of limit/length? RB751G, ROS 6.19
You do not have the required permissions to view the files attached to this post.
 
Shiro
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Wed Sep 25, 2013 6:44 pm

Re: AW: CRL size limit exceeded, ignoring

Fri Aug 29, 2014 7:09 pm

I get that alot on my CCR1009.

Maybe to large revocation lists? I use cacert.org and some self signed stuff on my Router.
 
Jeanluck
Member Candidate
Member Candidate
Posts: 272
Joined: Tue Apr 19, 2011 7:07 pm

Re: CRL size limit exceeded, ignoring

Mon Dec 15, 2014 6:34 pm

I have the same problem with 6.22 (I use CAcert.org) :(
 
chemp86
just joined
Posts: 8
Joined: Wed Nov 19, 2014 9:10 am

Re: CRL size limit exceeded, ignoring

Thu Jan 01, 2015 10:27 am

I have the same problem with 6.22 (I use CAcert.org) :(
Same situation with 6.24.
Guys, we need to fix it.
 
macak91
just joined
Posts: 11
Joined: Sat Jan 17, 2015 7:32 pm

Re: CRL size limit exceeded, ignoring

Sun Jan 18, 2015 7:12 pm

Any solution?
 
Jeanluck
Member Candidate
Member Candidate
Posts: 272
Joined: Tue Apr 19, 2011 7:07 pm

Re: CRL size limit exceeded, ignoring

Mon Jan 19, 2015 11:19 am

Not for now :(
Support? some comment?
 
chemp86
just joined
Posts: 8
Joined: Wed Nov 19, 2014 9:10 am

Re: CRL size limit exceeded, ignoring

Wed Jan 21, 2015 7:27 am

In 6.25 changelog:
*) certificates - fix SCEP RA operation and SCEP client when operating with RA;
But still the same error...
Guys, please, fix this!
 
chemp86
just joined
Posts: 8
Joined: Wed Nov 19, 2014 9:10 am

Re: CRL size limit exceeded, ignoring

Fri Feb 06, 2015 6:23 am

In 6.26 still same...
 
Nunak
just joined
Posts: 4
Joined: Tue Mar 20, 2012 10:56 am

Re: CRL size limit exceeded, ignoring

Thu Feb 12, 2015 10:16 am

In 6.27 still same ... :( On RB2011UAS-2HnD
 
User avatar
ScottReed
Member Candidate
Member Candidate
Posts: 111
Joined: Thu Sep 24, 2009 9:47 pm
Location: Montana / Western Massachusetts

Re: CRL size limit exceeded, ignoring

Thu Mar 26, 2015 2:26 pm

CCR1036-12G-4S... still happening with 6.27.
 
daggerCVN
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Thu Jan 30, 2014 5:05 pm

Re: CRL size limit exceeded, ignoring

Thu Mar 31, 2016 3:43 pm

Add to this older/existing thread. I've purchased an SSL certificate from PositiveSSL/Comodo and installed in on my RB750Gv1 and v2 (hEX) routers. The certificate package includes 4 files. Every hour I get the same error log message: CRL size limit exceeded, ignoring. I've used both v6.19 and v6.32.4 firmwares. Note that the log error message does not indicate which of the four certs is causing the error. Can I get an explanation and hopefully a fix from Mikrotik please?
 
daggerCVN
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Thu Jan 30, 2014 5:05 pm

Re: CRL size limit exceeded, ignoring

Thu Mar 31, 2016 4:22 pm

Adding more info:
[admin@MikroTik] /certificate> print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted 
 #          NAME                   COMMON-NAME                SUBJECT-ALT-NAME                                             FINGERPRINT               
 0 K L    T cert_1                 hotspot.addmydevice.com    DNS:www.hotspot.addmydevice.com                              f1ecc5085973f13df2b4cfc...
 1   L A  T ca_2                   COMODO RSA Domain Valid...                                                              02ab57e4e67a0cb48dd2ff3...
 2   L A  T ca_3                   COMODO RSA Certificatio...                                                              4f32d5dc00f715250abcc48...
 3     A  T ca_4                   AddTrust External CA Root                                                               687fa451382278fff0c8b11...

I suspect it is either ca_2 or ca_3 as they are LAT certs which are CRLs, but ca_4 is not classified as a CRL.

Question to the forum/Mikrotik - exactly what happens when you get this Log error of CRL ignored? Does it not apply/use it or is it more of a warning but still is used? Thanks.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: CRL size limit exceeded, ignoring

Thu Mar 31, 2016 6:25 pm

It means that router doe snot have enough RAM to download CRL file at a time. If CRL is not downloaded certificates cannot be verified.
 
daggerCVN
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Thu Jan 30, 2014 5:05 pm

Re: CRL size limit exceeded, ignoring

Thu Mar 31, 2016 11:32 pm

mrz - thanks for the response. I'm no SSL expert, so pardon my noob questions. I thought all the SSL info was installed with the cert package - the actual certificate and the 3 intermediary/whatever certs I listed above, and they all Imported correctly. Or does the Mikrotik need to communicate with the CA and actually download additional CRL files?? If it is downloading CRL, does it store it to RAM or HDD/Flash memory?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: CRL size limit exceeded, ignoring

Fri Apr 01, 2016 12:53 pm

Remote peer's certificate is sent to the router and that certificate is compared to imported CA if it belongs to the chain. If CA has CRL then additionally is checked whether certificate is valid (not revoked).

Initially CRL is downloaded and all its structure is loaded to RAM, because of that structures abut 10 times more ram is needed than actual CRL file size. After that CRL is stored on HDD/flash.
 
daggerCVN
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Thu Jan 30, 2014 5:05 pm

Re: CRL size limit exceeded, ignoring

Fri Apr 01, 2016 5:04 pm

Thanks mrz - that is consistent with what I observe on my memory consumption - my HDD space decreases by about 2MB when I Import the certs. Do you know how low on HDD Flash memory I can go before the RB750Gr2 will start to see performance degradation?

Who is online

Users browsing this forum: Google [Bot], MSN [Bot] and 67 guests