RE: CRL management pb
Hello all,
I build a ssl server with client authentication ( I use openssl 0.9.8d)
I wanted to know why I have the error no certificate returned when the client
certificat is revoked and not a more explicit one.
I decided to compile the openssl code to check where my pb is :
in s3_srvr.c , I found the code executed:
i=ssl_verify_cert_chain(s,sk);
if (!i)
{
al=ssl_verify_alarm_type(s-verify_result);
SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
goto f_err;
}
and ssl_verify_cert_chain function performs a lot of control including the peer
crl check ( I have seen it with printf...)
Is there a way to get a more appropriate stack error like
SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED which is a variable not used now ?
Or shall I wait a new version of Openssl ?
thank you for your response,
Jf
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
RE: CRL management pb
Thank you Steve .. I try to perform the test with s_server but I believe it does not handle CRL file ( no option for this apparently) :( Thank you Dr. Henson for the answer .. I feel more ensured ... :) I achieved to go a little bit further in my test now after having put the right certificate in client side. I am quite suprised by the behaviour of my server since when the client certificate belongs to the CRL list handled by my server, I have this time the handshake error (no certificate returned). I was expecting for a message like CR revoked .. ( the client connexion was refused before I use SSL_get_verify_result API as I expected first.) Is it the normal behaviour or have I forget to set an option? I'd suggest you set up s_client/s_server with the appropriate certificates and CRL and see if you get the same results. Steve. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CRL management pb
On Wed, May 16, 2007, [EMAIL PROTECTED] wrote: Thank you Steve .. I try to perform the test with s_server but I believe it does not handle CRL file ( no option for this apparently) :( In OpenSSL 0.9.8 and later at least you set the -crl_check option or -crl_check_all. The certificates and CRL(s) for verification can be supplied in a single file using -CAfile or a directory using -CApath. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CRL management pb
On 2007.05.16 at 13:30:12 +0200, Dr. Stephen Henson wrote: In OpenSSL 0.9.8 and later at least you set the -crl_check option or -crl_check_all. The certificates and CRL(s) for verification can be supplied in a single file using -CAfile or a directory using -CApath. But it is still undocumented in the current snapshot. Is it a good idea to run some automated script on all *.c files in apps to find list of all options for all command and then on *.pod in doc/apps to find which ones are not documented? Really there are three lists to compare - list of options, actually recognized by command, list of options reported by utility when invalid option specified and list of options, documented in the man page. Same question about API documentation. There is list of functions/macros actually implemented, list of functions/macros in ssl(3) manpage, list of functions actually described in the pod documentation and list of links to the documentation pages, which are created during installation. And simular problem for libcrypto functions, which is even worse because summary man pages such as x509(3) do not have comprehensive list of functions, and some big parts of library (such as asn1 handling routines) even don't have summary man page. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CRL management pb
Just to be sure... I have a crl file called crl.pem and a CA file called trustees.pem To perform crl check with s_server, do I have to create a new file cacrlfile.pem which is the concatenation of trustees.pem and crl.pem file. and launch the following command: openssl s_server -accept 7770 -cert certificat.pem -key rsakey.pem -CAfile cacrlfile.pem -debug -bugs -crl_check ? Thanks in advance, Selon Dr. Stephen Henson [EMAIL PROTECTED]: On Wed, May 16, 2007, [EMAIL PROTECTED] wrote: Thank you Steve .. I try to perform the test with s_server but I believe it does not handle CRL file ( no option for this apparently) :( In OpenSSL 0.9.8 and later at least you set the -crl_check option or -crl_check_all. The certificates and CRL(s) for verification can be supplied in a single file using -CAfile or a directory using -CApath. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CRL management pb
On Wed, May 16, 2007, [EMAIL PROTECTED] wrote: Just to be sure... I have a crl file called crl.pem and a CA file called trustees.pem To perform crl check with s_server, do I have to create a new file cacrlfile.pem which is the concatenation of trustees.pem and crl.pem file. and launch the following command: openssl s_server -accept 7770 -cert certificat.pem -key rsakey.pem -CAfile cacrlfile.pem -debug -bugs -crl_check ? That should do the trick, yes. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: CRL management pb
Thank you for your response. Actually I use the default verify_callback function (NULL) SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,NULL); By default it does not take into account possible errors coming from client certificate? Does it mean it is compulsary to call a verify_call_back function ? Hello everybody, I try to build a SSL server which performs client authentication and CRL management. To manage this: First, with X509_STORE_add_cert, I add the certificate coming from trustees.pem file to verify the client certificate Then I read the CRL file and get the corresponding X509_CRL object: with X509_STORE_add_crl API, I put my X509_CRL object in the store too ansd call X509_STORE_set_flags(st, X509_V_FLAG_CRL_CHECK) to say I want to check CRL. At least with SSL_CTX_set_cert_store, I put my store in my SSL_CTX structure. Whenever a client connects, I get its certificate with SSL_get_certificate_peer and as far as I understand, ans I believed I only have to call SSL_get_verify_result API in order to know that the client authentication is correct and that its certifcate does not belong to those described as revoked in CRL file. Did I use those API properly since I do not get a correct result ( the client certificate has a serial number which is considered as revoked in CRL file but the SSL_get_verify_result always returns X509_V_OK ! ) ? Thank you in advance for your help ! If have a verify callback that is set to ignore all errors it will show X509_V_OK. I'd suggest you try using the s_client application and/or the verify appllication on the chain. Failing that post the chain and CRL and the command line you used. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CRL management pb
On Tue, May 15, 2007, [EMAIL PROTECTED] wrote: Thank you for your response. Actually I use the default verify_callback function (NULL) SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,NULL); By default it does not take into account possible errors coming from client certificate? Does it mean it is compulsary to call a verify_call_back function ? No, quite the opposite. For many purposes you don't need a custom callback. Unfortunately some guides insist a callback is necessary some even supply a debugging callback which ignores all errors and results in zero security. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CRL management pb
Thank you Dr. Henson for the answer .. I feel more ensured ... :) I achieved to go a little bit further in my test now after having put the right certificate in client side. I am quite suprised by the behaviour of my server since when the client certificate belongs to the CRL list handled by my server, I have this time the handshake error (no certificate returned). I was expecting for a message like CR revoked .. ( the client connexion was refused before I use SSL_get_verify_result API as I expected first.) Is it the normal behaviour or have I forget to set an option? jf Selon Dr. Stephen Henson [EMAIL PROTECTED]: On Tue, May 15, 2007, [EMAIL PROTECTED] wrote: Thank you for your response. Actually I use the default verify_callback function (NULL) SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,NULL); By default it does not take into account possible errors coming from client certificate? Does it mean it is compulsary to call a verify_call_back function ? No, quite the opposite. For many purposes you don't need a custom callback. Unfortunately some guides insist a callback is necessary some even supply a debugging callback which ignores all errors and results in zero security. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CRL management pb
On Tue, May 15, 2007, [EMAIL PROTECTED] wrote: Thank you Dr. Henson for the answer .. I feel more ensured ... :) I achieved to go a little bit further in my test now after having put the right certificate in client side. I am quite suprised by the behaviour of my server since when the client certificate belongs to the CRL list handled by my server, I have this time the handshake error (no certificate returned). I was expecting for a message like CR revoked .. ( the client connexion was refused before I use SSL_get_verify_result API as I expected first.) Is it the normal behaviour or have I forget to set an option? I'd suggest you set up s_client/s_server with the appropriate certificates and CRL and see if you get the same results. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CRL management pb
On Mon, May 14, 2007, [EMAIL PROTECTED] wrote: Hello everybody, I try to build a SSL server which performs client authentication and CRL management. To manage this: First, with X509_STORE_add_cert, I add the certificate coming from trustees.pem file to verify the client certificate Then I read the CRL file and get the corresponding X509_CRL object: with X509_STORE_add_crl API, I put my X509_CRL object in the store too ansd call X509_STORE_set_flags(st, X509_V_FLAG_CRL_CHECK) to say I want to check CRL. At least with SSL_CTX_set_cert_store, I put my store in my SSL_CTX structure. Whenever a client connects, I get its certificate with SSL_get_certificate_peer and as far as I understand, ans I believed I only have to call SSL_get_verify_result API in order to know that the client authentication is correct and that its certifcate does not belong to those described as revoked in CRL file. Did I use those API properly since I do not get a correct result ( the client certificate has a serial number which is considered as revoked in CRL file but the SSL_get_verify_result always returns X509_V_OK ! ) ? Thank you in advance for your help ! If have a verify callback that is set to ignore all errors it will show X509_V_OK. I'd suggest you try using the s_client application and/or the verify appllication on the chain. Failing that post the chain and CRL and the command line you used. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
