Openssl not properly validating certificates?
Hi, I've done some googling and failed to come up with an answer... I have openssl 1.0.0-25 (also seeing it as 1.0.0-fips) installed on a test server running CentOS 6.3 (2.6.32-279.14.1.el6.x86_64). It is the latest one avaialble from the CentOS repositories. I've downloaded and set up several Certificate Authorities as trusted certs and their accompanying CRLs. I've created the hash links for the CRLs and CAs as well. When I run a test on some test certificates I received, they all come back OK, even though some are expired and some are revoked. I've run the following verify command and expected different results to flag TestOne as valid, TestThirtySeven as Revoked and TestForty as expired. I also tried crl_check_all and purpose flags, with no different results. [root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose TestOne_Valid.pem TestOne_Valid.pem: OK [root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose TestForty_Expired.pem TestForty_Expired.pem: OK [root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose TestThirtySeven_Revoked.pem TestThirtySeven_Revoked.pem: OK [root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose -purpose sslclient TestOne_Valid.pem TestOne_Valid.pem: OK [root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose -purpose sslclient TestForty_Expired.pem TestForty_Expired.pem: OK [root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose -purpose sslclient TestThirtySeven_Revoked.pem TestThirtySeven_Revoked.pem: OK [root@dmapsdev01 TestCerts]# Similarly, when I run from a browser, with tomcat configured for CRL checking (using APR tcnative), tomcat lets the expired and revoked certificates pass. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Openssl not properly validating certificates?
They are US. gov't certificates CRLs, so providing them is a little complicated. Before I had the proper root intermediate CAs loaded and hashed, I would get errors about missing certs in the chain. Similarly, before I loaded the CRL, it would have issues. The CERTs are in PEM formats, as well as the CRLs. On Wed, Dec 5, 2012 at 10:23 AM, Erwann Abalea erwann.aba...@keynectis.com wrote: OpenSSL 1.0.1 works fine here, both with expired and revoked certificates (i.e. correctly reports the status). Could you share your elements (certs, CRLs)? -- Erwann ABALEA - chlorophytophonie: musique pour les plantes vertes Le 05/12/2012 15:11, Will Nordmeyer a écrit : Hi, I've done some googling and failed to come up with an answer... I have openssl 1.0.0-25 (also seeing it as 1.0.0-fips) installed on a test server running CentOS 6.3 (2.6.32-279.14.1.el6.x86_64). It is the latest one avaialble from the CentOS repositories. I've downloaded and set up several Certificate Authorities as trusted certs and their accompanying CRLs. I've created the hash links for the CRLs and CAs as well. When I run a test on some test certificates I received, they all come back OK, even though some are expired and some are revoked. I've run the following verify command and expected different results to flag TestOne as valid, TestThirtySeven as Revoked and TestForty as expired. I also tried crl_check_all and purpose flags, with no different results. [root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose TestOne_Valid.pem TestOne_Valid.pem: OK [root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose TestForty_Expired.pem TestForty_Expired.pem: OK [root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose TestThirtySeven_Revoked.pem TestThirtySeven_Revoked.pem: OK [root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose -purpose sslclient TestOne_Valid.pem TestOne_Valid.pem: OK [root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose -purpose sslclient TestForty_Expired.pem TestForty_Expired.pem: OK [root@dmapsdev01 TestCerts]# openssl verify -crl_check_all -verbose -purpose sslclient TestThirtySeven_Revoked.pem TestThirtySeven_Revoked.pem: OK [root@dmapsdev01 TestCerts]# Similarly, when I run from a browser, with tomcat configured for CRL checking (using APR tcnative), tomcat lets the expired and revoked certificates pass. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Openssl not properly validating certificates?
On Wed, Dec 5, 2012 at 10:47 AM, Dr. Stephen Henson st...@openssl.org wrote: On Wed, Dec 05, 2012, Will Nordmeyer wrote: They are US. gov't certificates CRLs, so providing them is a little complicated. Before I had the proper root intermediate CAs loaded and hashed, I would get errors about missing certs in the chain. Similarly, before I loaded the CRL, it would have issues. The CERTs are in PEM formats, as well as the CRLs. I'd suggest you try a version of OpenSSL from the website to see if you have problems with that. Version 1.0.0-25 or 1.0.0-fips is not a standard OpenSSL version. I installed 1.0.1c (and verified it is the one being called). When I first reran the commands as I listed earlier, I got error 20 at 0 depth lookup:unable to get local issuer certificate I added -CApath /etc/ssl/certs and everything comes back OK again. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Openssl not properly validating certificates?
On Wed, Dec 5, 2012 at 11:22 AM, Dr. Stephen Henson st...@openssl.org wrote: On Wed, Dec 05, 2012, Will Nordmeyer wrote: On Wed, Dec 5, 2012 at 10:47 AM, Dr. Stephen Henson st...@openssl.org wrote: On Wed, Dec 05, 2012, Will Nordmeyer wrote: They are US. gov't certificates CRLs, so providing them is a little complicated. Before I had the proper root intermediate CAs loaded and hashed, I would get errors about missing certs in the chain. Similarly, before I loaded the CRL, it would have issues. The CERTs are in PEM formats, as well as the CRLs. I'd suggest you try a version of OpenSSL from the website to see if you have problems with that. Version 1.0.0-25 or 1.0.0-fips is not a standard OpenSSL version. I installed 1.0.1c (and verified it is the one being called). When I first reran the commands as I listed earlier, I got error 20 at 0 depth lookup:unable to get local issuer certificate I added -CApath /etc/ssl/certs and everything comes back OK again. Try a sanity check on a certificate, for example: openssl x509 -in TestForty_Expired.pem -noout -dates OK... now I have insanity - openssl x509 -in TestFortyTwo_Expired.pem -noout -dates notBefore=Dec 30 18:09:39 2008 GMT notAfter=Dec 29 18:09:39 2014 GMT I have certificate 42 imported into my Internet Explorer browser, it indicates the validity dates as: IE tells me it is valid from 9/13/2011 to 9/14/2011 Can I switch careers to basket weaving? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Openssl not properly validating certificates?
On Wed, Dec 5, 2012 at 12:18 PM, Jakob Bohm jb-open...@wisemo.com wrote: On 12/5/2012 5:30 PM, Will Nordmeyer wrote: On Wed, Dec 5, 2012 at 11:22 AM, Dr. Stephen Henson st...@openssl.org wrote: On Wed, Dec 05, 2012, Will Nordmeyer wrote: On Wed, Dec 5, 2012 at 10:47 AM, Dr. Stephen Henson st...@openssl.org wrote: On Wed, Dec 05, 2012, Will Nordmeyer wrote: They are US. gov't certificates CRLs, so providing them is a little complicated. Before I had the proper root intermediate CAs loaded and hashed, I would get errors about missing certs in the chain. Similarly, before I loaded the CRL, it would have issues. The CERTs are in PEM formats, as well as the CRLs. I'd suggest you try a version of OpenSSL from the website to see if you have problems with that. Version 1.0.0-25 or 1.0.0-fips is not a standard OpenSSL version. I installed 1.0.1c (and verified it is the one being called). When I first reran the commands as I listed earlier, I got error 20 at 0 depth lookup:unable to get local issuer certificate I added -CApath /etc/ssl/certs and everything comes back OK again. Try a sanity check on a certificate, for example: openssl x509 -in TestForty_Expired.pem -noout -dates OK... now I have insanity - openssl x509 -in TestFortyTwo_Expired.pem -noout -dates notBefore=Dec 30 18:09:39 2008 GMT notAfter=Dec 29 18:09:39 2014 GMT I have certificate 42 imported into my Internet Explorer browser, it indicates the validity dates as: IE tells me it is valid from 9/13/2011 to 9/14/2011 Ok, try openssl x509 -n TestFortyTwo_Expired.pem -noout -text and compare all the details to what you see in IE. Maybe it is not the same certificate. Can I switch careers to basket weaving? Nah, I think that got outsourced (back) to China too. Enjoy AH - found the issue... my TestFortyTwo_Expired.pem has 3 certs in it - the root cert, the intermediate cert and then the user cert. I stripped out the root intermediate cert from the PEM file and openssl now properly reports TestFortyTwo_Expired.pem as expired. I did the same clean up on TestThirtySeven_Revoked.pem - took out the root cert the intermediate cert and then ran it through dates - dates are fine ... ran it through verify with the following command to see a revoked certificate response: # openssl verify -CApath /etc/ssl/certs -crl_check_all -verbose -purpose sslclient TestThirtySeven_Revoked.pem TestThirtySeven_Revoked.pem: OK __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org