cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CRL returned from godaddy is incorrectly formatted... How to fix?

The CRL associated with our GoDaddy certificate is not parseable and is resulting in errors when the SSL client is configured to check CRLs. It was working until this am.

 

I manually downloaded the CRL from godaddy's website (pointed to in the Certificate) - crl.godaddy.com/gdig2s1-917.crl - and ran it through the openssl command and I get the following error:

 

unable to load CRL

140736046302088:error:0D07809F:asn1 encoding routines:ASN1_ITEM_EX_D2I:unexpected eoc:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/asn1/tasn_dec.c:368:Type=X509_REVOKED

140736046302088:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/asn1/tasn_dec.c:621:Field=revoked, Type=X509_CRL_INFO

140736046302088:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/asn1/tasn_dec.c:653:Field=crl, Type=X509_CRL

 

It looks like GoDaddy has put up a poorly formatted CRL file or there is some kind of issue in OpenSSL (which will blow up in lots of places). Either that or there is some kind of mitm attack against their CRL service. Anyone else see anything like this or does no one care since Chromium ignores CRLs?

1 REPLY 1

Looks like it was temporary - they updated the CRL this afternoon. This one seems to work.