Re: Certificate and CRL Path Validation Error
On Thu, Aug 31, 2006 at 09:17:10AM -0400, Patrick Patterson wrote: On Thursday 31 August 2006 09:14, Patrick Patterson wrote: (I'll probably take this over to modssl-devel, but since you asked, I thought that I would bring it up here.) Hmm - I thought there WAS a developers mailing list, but apparently I was mistaken - so I guess I have to ask is this the right place to have discussions about the best way to add in the capability for mod_ssl to do full 3280 path validation? New mod_ssl development generally happens in the httpd 2.x tree, so dev@httpd.apache.org is where it is discussed. I don't think Ralf is adding new features to mod_ssl 2.8 any more. Regards, joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Certificate and CRL Path Validation Error
All, I am working in an environment utilizing a PKI consisting of several Root and Intermediate Certificate Authorities. In order to reduce the overhead when requiring client authentication using digital certificates, I am using the following two directives: SSLCACertificatePath – Used for Root and Intermediate CAs SSLCARevocationPath – Used to Process Certificate Revocation Lists I’ve yet to encounter a version of Apache and Mod_SSL performing proper path validation. If a user presents a certificate that is revoked, but not included in the directory containing all the PEM/Base64 encoded CRL files and associated symbolic links, Apache allows access. If a user presents a certificate issued from an Intermediate Certificate Authority that is not included in the directory containing all the Root and Intermediate CA certificates in PEM/Base64 encoded format and associated symbolic links, he/she is allowed access. I would prefer the system to validate the entire chain and not allow access in the event a local CRL file or Intermediate CA certificate is not available. By default, IIS performs this path validation correctly. If IIS does not have a current CRL file issued by each and every CA in the certificate path, the client is denied access. If IIS does not have a certificate from each and every CA in the certificate path, the client is denied access. I am trying to automate the process of updating the CA certificate directory and associated CRL directories by scheduling a job to run on a nightly basis. If Apache has a local CRL and CA certificate from each and every CA in the path used to issue the client certificates, then all checks are performed and the client is properly validated. I would prefer the system default to “Closed” instead of “Open” in the event an Intermediate CA certificate is unavailable or no CRL file is available. Again, the system must have at least one CA certificate trusted and available locally, but no CRL files. Note: I have issued a client certificate from a client certificate issued by on of the Intermediate CAs and Apache does deny access because the key usage of the client certificate does not allow it to be used as a Root CA and issue additional client certificates. I used OpenSSL in order to issue client certificates from a client certificate. This type of path validation seems to work on all the versions of Apache and Mod_SSL I’ve tested. Thanks __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Certificate and CRL Path Validation Error
Hi There: The limitations of mod_ssl for path validation are further than what you have described, in that it also cannot perform policy mapping up the entire certificate chain, and also has no concept of how to deal with AIA or SIA fields. I'm not sure where the developers are in terms of full RFC 3280 Path Validation compliance, but as we also have a need for more full path validation, especially a model that will work in a Cross-Certification type environment. It is our intent to be starting to work on this this fall, unless we hear from the community that there is already work underway to add in full 3280 validation to mod_ssl. (I'll probably take this over to modssl-devel, but since you asked, I thought that I would bring it up here.) Cheers. On Thursday 31 August 2006 08:53, [EMAIL PROTECTED] wrote: All, I am working in an environment utilizing a PKI consisting of several Root and Intermediate Certificate Authorities. In order to reduce the overhead when requiring client authentication using digital certificates, I am using the following two directives: SSLCACertificatePath – Used for Root and Intermediate CAs SSLCARevocationPath – Used to Process Certificate Revocation Lists I’ve yet to encounter a version of Apache and Mod_SSL performing proper path validation. If a user presents a certificate that is revoked, but not included in the directory containing all the PEM/Base64 encoded CRL files and associated symbolic links, Apache allows access. If a user presents a certificate issued from an Intermediate Certificate Authority that is not included in the directory containing all the Root and Intermediate CA certificates in PEM/Base64 encoded format and associated symbolic links, he/she is allowed access. I would prefer the system to validate the entire chain and not allow access in the event a local CRL file or Intermediate CA certificate is not available. By default, IIS performs this path validation correctly. If IIS does not have a current CRL file issued by each and every CA in the certificate path, the client is denied access. If IIS does not have a certificate from each and every CA in the certificate path, the client is denied access. I am trying to automate the process of updating the CA certificate directory and associated CRL directories by scheduling a job to run on a nightly basis. If Apache has a local CRL and CA certificate from each and every CA in the path used to issue the client certificates, then all checks are performed and the client is properly validated. I would prefer the system default to “Closed” instead of “Open” in the event an Intermediate CA certificate is unavailable or no CRL file is available. Again, the system must have at least one CA certificate trusted and available locally, but no CRL files. Note: I have issued a client certificate from a client certificate issued by on of the Intermediate CAs and Apache does deny access because the key usage of the client certificate does not allow it to be used as a Root CA and issue additional client certificates. I used OpenSSL in order to issue client certificates from a client certificate. This type of path validation seems to work on all the versions of Apache and Mod_SSL I’ve tested. Thanks __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- Patrick Patterson President and CEO Carillon Information Security Inc. http://www.carillon.ca __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Certificate and CRL Path Validation Error
On Thursday 31 August 2006 09:14, Patrick Patterson wrote: (I'll probably take this over to modssl-devel, but since you asked, I thought that I would bring it up here.) Hmm - I thought there WAS a developers mailing list, but apparently I was mistaken - so I guess I have to ask is this the right place to have discussions about the best way to add in the capability for mod_ssl to do full 3280 path validation? Thanks. -- Patrick Patterson President and CEO Carillon Information Security Inc. http://www.carillon.ca __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]