===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/krl.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- src/usr.bin/ssh/krl.c	2013/01/25 05:00:27	1.7
+++ src/usr.bin/ssh/krl.c	2013/01/25 10:22:19	1.8
@@ -14,7 +14,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $OpenBSD: krl.c,v 1.7 2013/01/25 05:00:27 krw Exp $ */
+/* $OpenBSD: krl.c,v 1.8 2013/01/25 10:22:19 djm Exp $ */
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -1146,8 +1146,11 @@
 		return -1;
 	}
 
-	/* Legacy cert formats lack serial numbers */
-	if (key_cert_is_legacy(key))
+	/*
+	 * Legacy cert formats lack serial numbers. Zero serials numbers
+	 * are ignored (it's the default when the CA doesn't specify one).
+	 */
+	if (key_cert_is_legacy(key) || key->cert->serial == 0)
 		return 0;
 
 	bzero(&rs, sizeof(rs));