All connections rejected if crlfile is used

[FirstWithThisName]

I am using the latest (2.0.14) mosquitto version on debian 11.

I am using certificates for authentication and want to include a crl file.
This is my config /etc/mosquitto/conf.d/my.conf:

per_listener_settings true

listener 8883
bind_address 0.0.0.0
#bind_port = 8883
allow_anonymous false

cafile /etc/mosquitto/ca_certificates/ca.cert
keyfile /etc/mosquitto/certs/mqtt-server.key
certfile /etc/mosquitto/certs/mqtt-server.crt
require_certificate true
use_subject_as_username true

crlfile /etc/mosquitto/my-crlfile

When I try to send a message to the server I get this error.
Client OpenSSL Error[0]: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Server OpenSSL Error[0]: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

When I remove the crlfile line from the config everthing works fine.

This is the content of /etc/mosquitto/my-crlfile

-----BEGIN X509 CRL-----
MIIDPjCCASYCAQEwDQYJKoZIhvcNAQELBQAwVzEOMAwGA1UEChMFTXlPcmcxDzAN
BgNVBAcTBlZpZW5uYTEPMA0GA1UECBMGVmllbm5hMQswCQYDVQQGEwJBVDEWMBQG
A1UEAxMNTXlPcmcgUm9vdCBDQRcNMjIwNzIyMTAxMDU3WhcNMjIwNzIzMTAxMDU3
WqCBmjCBlzCBlAYDVR0jBIGMMIGJgBSiMiQ26pLZIWDqD3cCWCr82RWSx6FbpFkw
VzEWMBQGA1UEAwwNTXlPcmcgUm9vdCBDQTELMAkGA1UEBhMCQVQxDzANBgNVBAgM
BlZpZW5uYTEPMA0GA1UEBwwGVmllbm5hMQ4wDAYDVQQKDAVNeU9yZ4IUerRHIXQ7
sz+ayrjVYb4o7kxhnA4wDQYJKoZIhvcNAQELBQADggIBAHkRs0zgBc1XBUV2F+uC
MW2Y8dlVGq+rOuoyT+i8hCrnK5M4WdwB5Nks20Ytr+qFAqdeJCoz5HXZSly3Xn+C
x0q65Z4qOat4ivMakG3ha3jDwsdWo+av405XBsGcoT55ZWfStiF5HcwHqZoPfTYv
BhWLEJfobLwzmI4vgSabJVwdhMJGrtRBi2pErYarq3q+8tEJDuGKJ1w3SgrqgcF2
1ZzDcE1CpO/LWRTXdR08ggRRviAIOJhYrxusf4sPDpOVOx9HvtzN0TotLic3ldQG
z8027pddwiUWn96sgJd8F28DrHD6Lp+SClIEXlzGdVuk0YyUc9pf8H+esZfMa8B3
dMws6s3eB6M9mZr13iLrzpkGjPP/StoGGT5rbp7xrLdynYfcsvCdbUeOV4AbG6UE
FIVo0OKXrS50fIxy7B/MbMIljjCzAVM3OWdwJ7YZv+ympH50/RookrT51HvKOT5l
hEwQovivfiKL0ts/X//wE0sF5TIsefp1Uavr1BQIepePRN85NeKW3Muo43zpdJzS
d6btBkQmdyXMhqaO6VjJBE6ov0hKfgBq+egPvxCx9IoFNIHdJBfm47lP7mzqMdbr
5QATcTQ95XdwEwPG0DYxn0hSfkMlQd/H6AVJSYSNOFP7+4Y5NYQO9SiveHu1MQge
ozOMF1cdGCZxmprVmQ+wV5bm
-----END X509 CRL-----

It does not contain any certificates so far, adding on ends up with the same result.

[FirstWithThisName]

Checking via openssl commandline:

openssl verify -CRLfile ../MyOrg.crl -CAfile ../MyOrg-RootCA.crt -verbose my.cert

my.cert: OK

[ralight]

Thanks for the report. I haven't been able to reproduce this so far (on Ubuntu 22.04) - I'll see about trying it on Debian 11.

[devhls]

@FirstWithThisName Please check that all declined certificates have the unique subject property (this is the distinguished name). If CRL contains a certificate with a different serial number but the same subject, then both certificates are considered to be revoked.
Check RFC5280: https://www.rfc-editor.org/rfc/rfc5280#page-23