KB Article #177690

CRL (Dynamic) filter produces "cannot decode CRL" error on large, valid CRL

Problem

* A large, valid CRL may result in an exception like the following when referenced by a CRL (Dynamic) filter:


ERROR   19/Nov/2015:15:12:32.463 [1b04]             java exception:
java.security.cert.CertificateException: cannot decode CRL
        at com.vordel.security.openssl.OSSLCertificateFactorySpi.engineGenerateCRLFromDER(Native Method)
        at com.vordel.security.openssl.OSSLCertificateFactorySpi.engineGenerateCRL(OSSLCertificateFactorySpi.java:59)
        at java.security.cert.CertificateFactory.generateCRL(CertificateFactory.java:497)
        at com.vordel.circuit.cert.CRLResponderProcessor.startCRLRetrieval(CRLResponderProcessor.java:156)
        at com.vordel.circuit.cert.CRLResponderProcessor.filterAttached(CRLResponderProcessor.java:102)
        at com.vordel.circuit.cert.CRLValidationProcessor.filterAttached(CRLValidationProcessor.java:25)
        at com.vordel.circuit.FilterContainer.configureFilter(FilterContainer.java:42)
        at com.vordel.circuit.Circuit.createContainer(Circuit.java:271)
        at com.vordel.circuit.Circuit.loadFilter(Circuit.java:215)
        at com.vordel.circuit.Circuit.loadFilter(Circuit.java:219)
        at com.vordel.circuit.Circuit.configure(Circuit.java:184)
        at com.vordel.circuit.CircuitCache.getCircuit(CircuitCache.java:61)
        at com.vordel.circuit.CircuitChainFilter.resolveCircuits(CircuitChainFilter.java:68)
        at com.vordel.circuit.CircuitChainProcessor.attach(CircuitChainProcessor.java:25)
        at com.vordel.dwe.http.HTTPPlugin.configureCircuits(HTTPPlugin.java:129)
        at com.vordel.dwe.http.HTTPPlugin.configure(HTTPPlugin.java:83)
        at com.vordel.dwe.NativeModule.configure(NativeModule.java:146)
        at com.vordel.dwe.NativeModule.configure(NativeModule.java:60)
        at com.vordel.precipitate.SolutionPack$ConfigModule.configure(SolutionPack.java:509)
        at com.vordel.precipitate.SolutionPack.loadModules(SolutionPack.java:628)
        at com.vordel.dwe.Service.refresh(Service.java:437)
        at com.vordel.api.configuration.ConfigurationService.updateConfiguration(ConfigurationService.java:87)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
        at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185)
        at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
        at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:288)
        at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
        at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
        at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
        at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1469)
        at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1400)
        at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1349)
        at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1339)
        at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
        at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:537)
        at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:699)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

INFO    19/Nov/2015:15:12:32.811 [1b04] unload 1 modules from Axway-12-DirectoryService
ERROR   19/Nov/2015:15:12:35.368 [2798] There was a problem loading the CRL cannot decode CRL


Resolution

-- Large CRLs can use more memory than is permitted by the maximum memory per request setting, which can result in errors like that above. To resolve this, the memory setting can be increased by using the updateMaxInOutLen.py script to modify the memory settings for an instance management interface in mgmt.xml.


For further details, read the script's help text by running the following command from the /samples/scripts/ folder: ./run.sh config/updateMaxInOutLen.py --help


Be warned that if you set an invalid value via that script (e.g. more memory than can actually be allocated), the server may fail to start up afterwards and you will not be able to run the script again, as it can only run when the servers are up. Make a backup before using that script if there is any doubt.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.