Openssl fails to parse a large certificate revocation list. See the debian bug for more information (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826552). The bug also includes a link to commit fixing the problem (https://github.com/openssl/openssl/commit/a1eef756cc1948ed4d1f175d97367aa2b24d962d). I can confirm that applying this patch fixes my issue. Would you consider cherry-picking this patch to fix the issue? Reproducible: Always Steps to Reproduce: 1. Get a large crl. E.g.: rsync crl.cacert.org::crl/revoke.crl /tmp/revoke.crl 2. Try to parse it: $ openssl crl -inform der -in "/tmp/revoke.crl.tmp" Actual Results: Command fails with: unable to load CRL 139987305621136:error:0D09E09B:asn1 encoding routines:X509_NAME_EX_D2I:too long:x_name.c:203: 139987305621136:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=issuer, Type=X509_CRL_INFO 139987305621136:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:697:Field=crl, Type=X509_CRL Expected Results: CRL parsed successfully.