OK better but not perfect:
1) missing CA in trusted roots: fails to verify; good
2) missing CRL: FAILS TO VERIFY; BAD
3) CRL with revoked cert: fails to verify, good
3.bis) CRL _without_ revoked cert: verifies, good
so it seems the coup-de-grace would be to make the absence of the CRL act
like nothing is revoked, or add some options/parameters, maybe like:
cryptoapi-chain-validation require-crl-present
I'd still like to see an example of a well-formed value for CDP, and
Authority Info Access extension so I can re-issue my CA cert and test the
hypothetical CAPI built-in OCSP/CRL checking....
-Dave
> -----Original Message-----
> From: Alon Bar-Lev [mailto:[email protected]]
> Sent: Saturday, October 18, 2008 3:29 PM
> To: Dave
> Cc: openvpn devel
> Subject: Re: [Openvpn-devel] [MSCAPI] Need testers
>
>
> Oh!
> Thanks!!!!
> I feared I had to install Windows again :)
>
> So now everything should be fine... you should be able to
> check the chain validation... 1. Without trusted CA in store.
> 2. Without CRL in store. 3. With CRL but with certificate revoked.
>
> Alon.
>
> On 10/18/08, Dave <[email protected]> wrote:
> > Sorry, I lied. Success! I somehow failed to copy the openvpn.exe
> > over. Attached herewith is the log.
> >
> >
> >
> > > -----Original Message-----
> > > From: Dave [mailto:[email protected]]
> > > Sent: Saturday, October 18, 2008 3:19 PM
> > > To: 'Alon Bar-Lev'
> > > Cc: 'openvpn devel'
> > > Subject: RE: [Openvpn-devel] [MSCAPI] Need testers
> > >
> > >
> > > Alas, the same.
> > >
> > > > -----Original Message-----
> > > > From: Alon Bar-Lev [mailto:[email protected]]
> > > > Sent: Saturday, October 18, 2008 2:31 PM
> > > > To: Dave
> > > > Cc: openvpn devel
> > > > Subject: Re: [Openvpn-devel] [MSCAPI] Need testers
> > > >
> > > >
> > > > Thank you for your time!
> > > > Last time... If we don't make any progress I will install > >
> > Windows setup when I have some free time. The problem is
> may > > be
> > due to RSA_FLAG_SIGN_VER flag that should be set on the >
> > RSA and
> > not the method. Can you please test [1]? > >
> > > > Alon.
> > > >
> > > > [1]
> http://alon.barlev.googlepages.com/openvpn-mscapi-test-7.tar.bz2
> > > >
> > > > On 10/18/08, Dave <[email protected]> wrote:
> > > > > Nope, still crashes.
> > > > >
> > > > > Application Event Log reveals:
> > > > >
> > > > > Faulting application openvpn.exe, version 0.0.0.0,
> > > > faulting module
> > > > > libeay32.dll, version 0.9.9.0, fault address 0x0005c4c5.
> > > > >
> > > > > I suppose there's no debug info in the MinGW build -- I
> > > > can attach a
> > > > > debugger when it crashes and could see the source if there
> > > > was debug
> > > > > info. Invariably something about my config triggers
> some boundary
> > > > > case.
> > > > >
> > > > > When testing only with cryptoapicert, the failure occurs
> > > > also, and is
> > > > > logged as having had happened at the same location.
> > > > >
> > > > >
> > > > > -Dave
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Alon Bar-Lev [mailto:[email protected]]
> > > > >
> > > > > > Sent: Saturday, October 18, 2008 1:51 PM
> > > > > > To: Dave
> > > > > > Cc: openvpn devel
> > > > > > Subject: Re: [Openvpn-devel] [MSCAPI] Need testers
> > > > > >
> > > > > >
> > > > > > I cannot see what is wrong, what exactly crashes? Do you
> > > > have > an
> > > > > entry in event log?, I recompiled everything at [1], I
> > > may > had a
> > > > > problem with the libraries. Can you please test only > with
> > > > > cryptoapicert and see if it changes something? >
> > > > > > Thanks!
> > > > > >
> > > > > > [1]
> > > >
> http://alon.barlev.googlepages.com/openvpn-mscapi-test-6.tar.bz2
> > > > > >
> > > > > > On 10/18/08, Dave <[email protected]> wrote:
> > > > > > > A little bit further, though now it crashes for me
> > > > using all the
> > > > > > > binaries you included in your bz file. Log attached >
> > > > > herewith in case > > that helps locate the area affected.
> > > > > > >
> > > > > > >
> > > > > > > -Dave
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: Alon Bar-Lev [mailto:[email protected]]
> > > > > > >
> > > > > > > > Sent: Saturday, October 18, 2008 1:01 PM
> > > > > > > > To: Dave
> > > > > > > > Cc: openvpn devel
> > > > > > >
> > > > > > > > Subject: Re: [Openvpn-devel] [MSCAPI] Need testers
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > > > Thank you for testing!
> > > > > > > >
> > > > > > > > Found the problem... CryptoAPI cannot validate root
> > > > > > > > certificate... OK, can you please test [1]?
> > > > > > > >
> > > > > > > > I also renamed the option from cryptoapica to
> > > > > > > > cryptoapi-chain-validation, I think it is clearer.
> > > > > > > >
> > > > > > > > Thanks!
> > > > > > > > Alon.
> > > > > > > >
> > > > > > > > [1]
> > > > > > >
> > > >
> http://alon.barlev.googlepages.com/openvpn-mscapi-test-5.tar.bz2
> > > > > > > >
> > > > > > > > On 10/18/08, Dave <[email protected]> wrote:
> > > > > > > > > attached herewith is the log of the (failed)
> > > > > > attempt(s) to connect.
> > > > > > > > >
> > > > > > > > > Certs are all OK as far as I can tell (no red X
> > > > overlaid).
> > > > > > > > >
> > > > > > > > > This CA cert I created some years back with
> > > easy-RSA. >
> > > > > > > These days I > > > > now manage my CA with
> XCA off a USB
> > > > > key, but I imported > > > that CA cert
> > > > > > > > > rather than rebuilding the PKI.
> > > > > > > > >
> > > > > > > > > Your CRL/OCSP suggestion is interesting, though of
> > > > > > course that's
> > > > > > > > > Windows only (my servers are all Linux).
> > > Actually I was
> > > > > > > > hoping for
> > > > > > > > > an extension of the OCSP patch that was
> > > submitted about a
> > > > > > > > year ago,
> > > > > > > > > but maybe that is a task for me to do!
> Then it would
> > > > > > be general
> > > > > > > > > across Windows/Linux. I have not used
> the extensions
> > > > > > > > before, and I
> > > > > > > > > would love it if you had an example cert with
> > > > the CDP or OCSP
> > > > > > > > > extensions filled out so I can use that as a
> > > reference >
> > > > > to proper > > > > form. My OCSP responder also
> runs on Linux,
> > > > > rather > than Windows.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > -Dave
> > > > > > > > >
> > > > > > > > > ...
> > > > > > > > >
> > > > > > > > > > Thank you for your tests!
> > > > > > > > > >
> > > > > > > > > > Your configuration is correct.
> > > > > > > > > >
> > > > > > > > > > Can you please double click the certificate
> > > at the MMC,
> > > > > > > > and > see
> > > > > > > > > if it marked "OK"? If there is an error
> then there is
> > > > > > > probably
> > > > > > > > > something wrong with CA location or CRL fetch. >
> > > > > > > > > > How did you enroll your certificate? If you
> > > > did this via
> > > > > > > > > > microsoft CA, you have CDP (CRL distribution
> > > > point) X.509
> > > > > > > > > > extension that is used by Windows to
> > > automatically >
> > > > > fetch your > > > > > CRL. If you got OCSP
> responder which is
> > > > integrated with CAPI
> > > > > > > > > > on your machine it will also work in this
> > > > configuration.
> > > > > > > > > >
> > > > > > > > > > I added some more debugging information.
> > > > > > > > > > Please run the new version [1] with verb
> > > 255. > > > >
> > > > > > Thanks! > > > >
> > > > > > > > > ...
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > > >
> > > > --------------------------------------------------------------
> > > > > > > > -----------
> > > > > > > > This SF.Net email is sponsored by the Moblin Your
> > > Move > >
> > > > > > Developer's challenge Build the coolest Linux based > > >
> > > > > applications with Moblin SDK & win great prizes Grand >
> > > prize > is
> > > > > a > > trip for two to an Open Source event anywhere in
> > > the > world
> > > > > > >
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> > > > > > > > _______________________________________________
> > > > > > > > Openvpn-devel mailing list
> > > > > > > > [email protected]
> > > > > > > >
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> --------------------------------------------------------------
> > > > > > -----------
> > > > > > This SF.Net email is sponsored by the Moblin Your Move
> > > > > > Developer's challenge Build the coolest Linux based
> > > > > > applications with Moblin SDK & win great prizes
> Grand prize
> > > > > > is a trip for two to an Open Source event anywhere in the
> > > > > > world
> > > http://moblin-contest.org/redirect.php?banner_id=100&url=/
> > > > > > _______________________________________________
> > > > > > Openvpn-devel mailing list
> > > > > > [email protected]
> > > > > > https://lists.sourceforge.net/lists/listinfo/openvpn-devel
> > > > > >
> > > > >
> > > > >
> > > >
> > > > --------------------------------------------------------------
> > > > -----------
> > > > This SF.Net email is sponsored by the Moblin Your Move
> > > > Developer's challenge Build the coolest Linux based
> > > > applications with Moblin SDK & win great prizes Grand prize
> > > > is a trip for two to an Open Source event anywhere in the
> > > > world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> > > > _______________________________________________
> > > > Openvpn-devel mailing list
> > > > [email protected]
> > > > https://lists.sourceforge.net/lists/listinfo/openvpn-devel
> > > >
> > >
> >
> >
>
