Hi,
I'm testing the use of revocation lists in mod-ssl, using the
SSLCARevocationFile directive in httpd.conf.
Apache/mod-ssl is set up to require client authentication, and should reject
client certificates which have been revoked.
When I issue my own certificates and CRLs using the OpenSSL command line
tool, everything works as expected;
that is, access is denied when the certificate has been revoked.
However, the "real" users will be issued certificates (on smart cards,
incidentally) from our own CA.
These are standard X509v3 certificates, and I can see no significant
differences when I compare them to test certs
generated by OpenSSL. Our own certificates work fine for client
authentication, but when I revoke one of them and add
the corresponding CRL to the SSLCARevocationFile, the client cert is still
considered valid.
No errors or warning messages are produced, even with SSLLogLevel set to
"trace".
I have tested this on both WinNT and AIX and observed the same behaviour on
both platforms.
When comparing our own CRLs to those generated by OpenSSL, the only
difference I can see is that the signature
algorithm used by OpenSSL is md5RSA, while we sign our CRLs using sha1RSA.
They are both standard V1 CRLs.
All relevant issuer certificates are present in the SSLCACertificateFile
(otherwise, client authentication would not have worked)...
Questions:
1) Are there any specific requirements concerning attributes/extensions in
the user- or CA certificates
that must be observed for CRL checking to work?
2) Are there any specific requirements concerning CRL signature algorithm?
3) Any other possible reason why CRL checking would be skipped for a
particular certificate,
given that a valid CRL is present?
4) Does mod_ssl handle Version 2 CRLs?
5) What is mod_ssl's defined behaviour when a CRL is present but has expired
?
In case anyone should feel like looking into this matter, I enclose samples
of certificates/CRLs
Cert/CRL issued by OpenSSL tool:
=======================
-----BEGIN CERTIFICATE-----
MIICfzCCAimgAwIBAgICAR4wDQYJKoZIhvcNAQEFBQAwYDELMAkGA1UEBhMCQVUx
DDAKBgNVBAgTA1FMRDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRkLjELMAkGA1UE
CxMCQ1MxGzAZBgNVBAMTElNTTGVheSBkZW1vIHNlcnZlcjAeFw0wMDA4MDMxMjM2
NTdaFw0wMTA4MDMxMjM2NTdaMEExCzAJBgNVBAYTAk5PMRMwEQYDVQQKEwpQb3N0
ZW4gU0RTMR0wGwYDVQQDExREYWcgT3BlblNTTCBMZWdlcm5lczCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAxPOHKpABmCZp5JTDNJI54GylB90qeLf+gcJGDh4Y
jHKaQX+hX98LRyTrj9Sq/WBwO0D6EUR+qXE3QBoFNYbOYNV7IhTJ1uQS5L0A0LsQ
8vZmE1oSdaaKXTMcGlDaPYjLq26OuCS+7yFlmQXj4F4e37zW7GC/kWoY750XB1N7
KukCAwEAAaOBpzCBpDAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM
IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUDw8sLmFNYew1AoSb+kYo
N5uyIS4wSgYDVR0jBEMwQaE8pDowODELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM
RDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBggEEMA0GCSqGSIb3DQEBBQUA
A0EAfAPTK+jH+zsuzc+Xe7KdJmULcPyFlpZW9zLYT+ZTms6E5Bg7XSzCTyD80fjx
N3uzRUnnFn8IpLG0fgmD6RWkGA==
-----END CERTIFICATE-----
CRL Issued by OpenSSL where the above certificate has been revoked
====================================================
-----BEGIN X509 CRL-----
MIIBIzCBzjANBgkqhkiG9w0BAQQFADBgMQswCQYDVQQGEwJBVTEMMAoGA1UECBMD
UUxEMRkwFwYDVQQKExBNaW5jb20gUHR5LiBMdGQuMQswCQYDVQQLEwJDUzEbMBkG
A1UEAxMSU1NMZWF5IGRlbW8gc2VydmVyFw0wMDA4MDMxMzMwMTRaFw0wMDA4MDMx
ODMwMTRaMD0wEgIBARcNOTUxMDA5MjMzMjA1WjASAgEDFw05NTEyMDEwMTAwMDBa
MBMCAgEeFw0wMDA4MDMxMzI4MDNaMA0GCSqGSIb3DQEBBAUAA0EAkOJtn+RqmBM2
Wsu2KmicY2SoKlqDGRUoNXV3BsYXUr6uO2quz72iSdZ7cXTPrbtTm4/5fsQxkovl
frCXE4OkSA==
-----END X509 CRL-----
The certificate in this case works for client authentication until revoked.
Cert/CRL issued by our own CA:
====================
-----BEGIN CERTIFICATE-----
MIICSjCCAbOgAwIBAgICAv4wDQYJKoZIhvcNAQEFBQAwMDELMAkGA1UEBhMCTk8x
EDAOBgNVBAoUB1RFU1QtQ0ExDzANBgNVBAMUBkNSTC1DQTAeFw0wMDA4MDExMTI3
MzRaFw0wMjA4MDExMTI3MzRaMCgxCzAJBgNVBAYTAk5PMRkwFwYDVQQDFBBEYWcg
Q1JMIExlZ2VybuZzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCU0FfHZAMo
glwFJj56ST3lxQPORsgqD1e7mbxz6UayZDqofpYwu60AYVmnCKCa6m6520ry2UsE
YGVgjB89WfbKJvRAj7FWKM9fp9oCe5kai05Pz031ni1kuC6Ls6Qq6ibmEJsgjgQv
elXMP0KmFgvzO7Sty0jnqOdHcc015km8LQIDAQABo3sweTARBgNVHSAECjAIMAYG
BCt0YAMwCQYDVR0TBAIwADARBgNVHQ4ECgQITr1eiTui9qIwMQYDVR0fBCowKDAm
oCSgIoYgaHR0cDovL3BlaWQuc2RzLm5vL0NSTC9jcmxjYS5jcmwwEwYDVR0jBAww
CoAIR2VuS2V5U1cwDQYJKoZIhvcNAQEFBQADgYEAxt0jJJFaiAaoifpZbrGmAAqR
7j1Ve4wGXOGo+R3aNMg2w9ChnUocsDSr7AiTnNz2xDTMwv4+zJEEMhASNSjvCJif
3r08FKCmmVNZtm9AYTVCnohXYT6GyK1ode6CYybN2sqCUdksOWNrOoGu0ZPi4osA
VOxXQFdDBG/4AsDbx4Y=
-----END CERTIFICATE-----
-----BEGIN X509 CRL-----
MIIBCzB2MA0GCSqGSIb3DQEBBQUAMDAxCzAJBgNVBAYTAk5PMRAwDgYDVQQKEwdU
RVNULUNBMQ8wDQYDVQQDEwZDUkwtQ0EXDTAwMDgwMzIxMDI0MVoXDTAwMDgwMzIy
MDI0MVowFTATAgIC/hcNMDAwODAxMjAzNjAxWjANBgkqhkiG9w0BAQUFAAOBgQCM
Qj70Qzv7a38CDlLyo5Dmf6E+sHN58qPqxXOri46iaKoaD0tJ3LCh9lMAyYtwl93v
wT11w87q1WgApgobv8fXINAXRyO3E0a1T+0x7mFwi3xTHVimtKZNyIWnG/4srWI1
1HktrKvf8q+g3+8tKYIbcSrWE20xkLeTHwhtLkC6UA==
-----END X509 CRL-----
This certificate works for client authentication, even _after_ it has been
revoked
and the CRL has been placed in SSLCARevocationFile.
Best Regards,
Dag Legernes
Posten SDS
Norway
mailto:[EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
