Hello,
We have an application using openssl that acts as a server and receives an SSL
connection.
Based on the configuration, the server requests a client certificate and
validates it by check to see that it is signed by a trusted CA + others checks
(CN...) but it was not validating against a crl. We used the following
function from the openssl libraries to enable that in the libraries:
SSL_set_verify (ssl, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
verify_callback);
SSL_set_verify_depth (ssl,G_PPROFS[profIndex].certdef);
Our verify_callback also does other checks. And we were getting the client
certificate and doing the validation, with no problems. We now have been
requested to add support for CRL.
The CRL file is loaded at the time the software is started.
1) The CRL support works fine when the client certificate is signed by the same
authority (CA) and the CRL is issued by that same authority. We had to add the
following in the code to support Client validation against a CRL:
// Get the store structure
X509_STORE *x509_store =
SSL_CTX_get_cert_store(G_SSLINFO[profIndex].ctx);
// Add the CRLs
if(!load_file_lookup(x509_store, G_PPROFS[profIndex].crlfile)){
sprintf ( obuf,"load_file_lookup failed for crl file %s
on profile %i",G_PPROFS[profIndex].crlfile,profIndex );
SSLPrintErr(IMMED, DANGER_,
XLPRGFLO,obuf);
return ( -1);
}
/* NOTE: we use the method above instead of X509_STORE_add_crl. The
CRLs are in a file and we believed that has the same result
than processing each CRL and adding them into the X509_store. Hope it
is correct. It seems to work but we are using one CRL so
more testing may be needed */
//X509_STORE_add_crl(x509_store, crl);
X509_VERIFY_PARAM *param;
param = X509_VERIFY_PARAM_new();
X509_VERIFY_PARAM_set_flags(param,
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL|X509_V_FLAG_EXTENDED_CRL_SUPPORT);
SSL_CTX_set1_param(G_SSLINFO[profIndex].ctx, param);
X509_VERIFY_PARAM_free(param);
We tested that for a while and it seems to work just fine. Certificates that
are revoked are detected and the connection ends with an error of the type:
"SSL alert (write): fatal: certificate revoked"
Certificates that are valid process with no issues and the connections are
established. However, if a client certificate is received, and it is signed by
a different CA than the one that issued the CRL, we get an error "unable to
get certificate CRL". So it seems to work fine in that "Direct CRL" scenario.
Now the issue is around "indirect CRL":
2) The CRL support does not work if the client certificate is not signed by the
same authority that issued the CRL. Below is one example:
Client certificate is signed by CA1 and in the CRL Distribution Points we have:
CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://luc.com/luc.crl
CRL Issuer:
Directory Address:
CN=Luc CRL Issuer
O=Luc
The CRL is issued by "Luc CRL Issuer" and the "Luc CRL Issuer" certificate is
signed by "CA1".
I was hoping that the code above will still work given that I added the flag
"X509_V_FLAG_EXTENDED_CRL_SUPPORT" and was expecting that the libraries would:
a) Look for direct CRL by checking if it is able to find a CRL that is issued
by the same issuer that issued the client certificate. If not then,
b) Check the CRLIssuer from the client certificate and check if there is a CRL
issued using that issuer name. If yes, then use, else
c) CRL not found.
Could someone take a look and let me know if my assumptions are correct with
regard to the behavior of OpenSSL with regards to support of Indirect CRL? If
my assumptions are correct, could you tell me what I am missing as it is not
working. If my assumptions are not valid, do you know how I should approach
support for indirect CRL?
Thanks!!
*************************
Benjamin Sligar
Manager, Development Support
P: 703.453.8324
us_dev_supp...@tnsi.com
*************************
This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and
destroy all copies of the original message.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
