Page 1 of 1

CRL size limit exceeded, ignoring

Posted: Thu Aug 28, 2014 8:08 pm
by ohara
Could anybody explain what this means exactly and what are the CRL requirements in terms of limit/length? RB751G, ROS 6.19

Re: AW: CRL size limit exceeded, ignoring

Posted: Fri Aug 29, 2014 7:09 pm
by Shiro
I get that alot on my CCR1009.

Maybe to large revocation lists? I use cacert.org and some self signed stuff on my Router.

Re: CRL size limit exceeded, ignoring

Posted: Mon Dec 15, 2014 6:34 pm
by Jeanluck
I have the same problem with 6.22 (I use CAcert.org) :(

Re: CRL size limit exceeded, ignoring

Posted: Thu Jan 01, 2015 10:27 am
by chemp86
I have the same problem with 6.22 (I use CAcert.org) :(
Same situation with 6.24.
Guys, we need to fix it.

Re: CRL size limit exceeded, ignoring

Posted: Sun Jan 18, 2015 7:12 pm
by macak91
Any solution?

Re: CRL size limit exceeded, ignoring

Posted: Mon Jan 19, 2015 11:19 am
by Jeanluck
Not for now :(
Support? some comment?

Re: CRL size limit exceeded, ignoring

Posted: Wed Jan 21, 2015 7:27 am
by chemp86
In 6.25 changelog:
*) certificates - fix SCEP RA operation and SCEP client when operating with RA;
But still the same error...
Guys, please, fix this!

Re: CRL size limit exceeded, ignoring

Posted: Fri Feb 06, 2015 6:23 am
by chemp86
In 6.26 still same...

Re: CRL size limit exceeded, ignoring

Posted: Thu Feb 12, 2015 10:16 am
by Nunak
In 6.27 still same ... :( On RB2011UAS-2HnD

Re: CRL size limit exceeded, ignoring

Posted: Thu Mar 26, 2015 2:26 pm
by ScottReed
CCR1036-12G-4S... still happening with 6.27.

Re: CRL size limit exceeded, ignoring

Posted: Thu Mar 31, 2016 3:43 pm
by daggerCVN
Add to this older/existing thread. I've purchased an SSL certificate from PositiveSSL/Comodo and installed in on my RB750Gv1 and v2 (hEX) routers. The certificate package includes 4 files. Every hour I get the same error log message: CRL size limit exceeded, ignoring. I've used both v6.19 and v6.32.4 firmwares. Note that the log error message does not indicate which of the four certs is causing the error. Can I get an explanation and hopefully a fix from Mikrotik please?

Re: CRL size limit exceeded, ignoring

Posted: Thu Mar 31, 2016 4:22 pm
by daggerCVN
Adding more info:
[admin@MikroTik] /certificate> print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted 
 #          NAME                   COMMON-NAME                SUBJECT-ALT-NAME                                             FINGERPRINT               
 0 K L    T cert_1                 hotspot.addmydevice.com    DNS:www.hotspot.addmydevice.com                              f1ecc5085973f13df2b4cfc...
 1   L A  T ca_2                   COMODO RSA Domain Valid...                                                              02ab57e4e67a0cb48dd2ff3...
 2   L A  T ca_3                   COMODO RSA Certificatio...                                                              4f32d5dc00f715250abcc48...
 3     A  T ca_4                   AddTrust External CA Root                                                               687fa451382278fff0c8b11...

I suspect it is either ca_2 or ca_3 as they are LAT certs which are CRLs, but ca_4 is not classified as a CRL.

Question to the forum/Mikrotik - exactly what happens when you get this Log error of CRL ignored? Does it not apply/use it or is it more of a warning but still is used? Thanks.

Re: CRL size limit exceeded, ignoring

Posted: Thu Mar 31, 2016 6:25 pm
by mrz
It means that router doe snot have enough RAM to download CRL file at a time. If CRL is not downloaded certificates cannot be verified.

Re: CRL size limit exceeded, ignoring

Posted: Thu Mar 31, 2016 11:32 pm
by daggerCVN
mrz - thanks for the response. I'm no SSL expert, so pardon my noob questions. I thought all the SSL info was installed with the cert package - the actual certificate and the 3 intermediary/whatever certs I listed above, and they all Imported correctly. Or does the Mikrotik need to communicate with the CA and actually download additional CRL files?? If it is downloading CRL, does it store it to RAM or HDD/Flash memory?

Re: CRL size limit exceeded, ignoring

Posted: Fri Apr 01, 2016 12:53 pm
by mrz
Remote peer's certificate is sent to the router and that certificate is compared to imported CA if it belongs to the chain. If CA has CRL then additionally is checked whether certificate is valid (not revoked).

Initially CRL is downloaded and all its structure is loaded to RAM, because of that structures abut 10 times more ram is needed than actual CRL file size. After that CRL is stored on HDD/flash.

Re: CRL size limit exceeded, ignoring

Posted: Fri Apr 01, 2016 5:04 pm
by daggerCVN
Thanks mrz - that is consistent with what I observe on my memory consumption - my HDD space decreases by about 2MB when I Import the certs. Do you know how low on HDD Flash memory I can go before the RB750Gr2 will start to see performance degradation?