Re: [CentOS] Certificates Revocation Lists and Apache...
John Doe wrote: [warn] Invalid signature on CRL [error] Certificate Verification: Error (8): CRL signature failure Any relation to this? https://issues.apache.org/bugzilla/show_bug.cgi?id=45708 I've worked with a lot of ssl stuff in apache but have never touched CRL before. Interestingly enough I found last year that some of verisign's CRLs weren't built to scale, one of our customers put some content on their site that pointed back to us, which then triggered a call to the CRL for those people using IE and Symantec anti virus(which turned on the CRL option in IE), the site was a very high traffic site and the customers routinely got errors from the CRL site because it was overloaded with requests. So few use CRL, I really don't see the benefit, but I suppose in really controlled environments it could be useful(just not to me). nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Certificates Revocation Lists and Apache...
From: nate cen...@linuxpowered.net Any relation to this? https://issues.apache.org/bugzilla/show_bug.cgi?id=45708 I don't think so; my tests are quite simple: - Start from clean state ( - Generate CA certificate - Generate CASSL certificate signed by CA - Generate Client Certificate signed by CASSL - Generate Revocation Certificate signed by CASSL All the steps are in one go (no changes of any kind in between). In my tests, I am only using one crl file with one revocation certificate. Tried the revocationpath and it did nothing at all for me... So few use CRL, I really don't see the benefit, but I suppose in really controlled environments it could be useful(just not to me). The goal is to be able to distribute client certificates to filter web access to certain resources. But we also need a way to revoke such access in the future if needed. Lets say someone lost his laptop with his certificate or he became an evil hacker or he just left the company... We need to disable his certificate, instead of having to regenerate the CASSL certificate and all the clients certificates... or wait for it to expire... Thx, JD ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Certificates Revocation Lists and Apache...
John Doe wrote: The goal is to be able to distribute client certificates to filter web access to certain resources. How about using just basic user names and passwords? Seems a lot simpler. Client certs can really make things messy and complicated, I worked with them a bunch several years ago, ENDLESS headaches, and we weren't using CRL formally at least, the application had a sort of CRL built into it, where we specifically registered certain CN's with the app, and apache just acted as a pass through mechanism to the app(which was java/tomcat). http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html nate ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Certificates Revocation Lists and Apache...
On Wed, 4 Nov 2009, John Doe wrote: already asked in the openssl mailing list, but just in case you already went through this... I need a little help with Certificate Revocation Lists. I did setup client certificates filtering with apache and it seem to work fine so far (used a tutorial on http://www.adone.info/?p=4, down right now). I have a CA that is signing a CA SSL. Then, the CA SSL is signing the clients certificates. Now, I am testing Certificate Revocation Lists, but apache keeps saying: Invalid signature on CRL I used: $ openssl ca -config openssl.conf -name CA_ssl_default -revoke cassl/$CLIENTNAME.pem [] $ openssl ca -config openssl.conf -name CA_ssl_default -gencrl -out cassl/crl.pem -crldays 365 So far so good. When I try to connect with a revoked (or unrevoked) certificate, I get: [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 2, subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain [debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD, CN=myhost.mydomain, lastUpdate: Nov 4 14:39:36 2009 GMT, nextUpdate: Nov 4 14:39:36 2010 GMT [warn] Invalid signature on CRL [error] Certificate Verification: Error (8): CRL signature failure Does your CA SSL certificate have its CRL signing bit set? openssl x509 -noout -purpose -in yourcert.pem | grep CRL Also, there's an Apache bug that fouls things up if the CA and CA SSL root certificates both have the same CN: https://issues.apache.org/bugzilla/show_bug.cgi?id=45708 How can I check if the crl.pem file is ok? $ openssl crl -in cassl/crl.pem -text [...] This is the best way, and it looks as if things are OK. I also tried all sorts of verify combos, but all fail: $ openssl verify -verbose -config openssl.conf -purpose crlsign -crl_check cassl/crl.pem The 'verify' option is only good for certifcates, not CRLs. It's also worth noting that the 'verify' option doesn't do any CRL checking. Grep for 'CRL' in the DIAGNOSTICS section of the verify(1) man page and you'll see a lot of 'unused' notes. -- Paul Heinlein heinl...@madboa.com http://www.madboa.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos