A problem with the use of CRLs. I'm still able to access a site although the certificate is revoked.

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

A problem with the use of CRLs. I'm still able to access a site although the certificate is revoked.

domi
Hello all together,

I’m not quite sure where to post my question because I wasn’t able to locate my fault. So I’ll post my question in the OpenSSL-user forum and in the Apache http server-users forum. A similar post in a German Firefox forum brought no solution. Please excuse if the question doesn’t fit into this forum.

To my situation: I’m using Linux/ Suse 10.0 with an Apache 2.0.54, OpenSSL 0.9.7g. and Firefox 2.0.1. I’m the webserver and client in one person. I’ve given my computer a static IP-adress: 192.168.0.2
I’ve built a simple Website to which I’ve got access with https://192.168.0.2
I want to include the use of CRLs. Client certificates are no subject to me.
The Apache and OpenSSL work very fine and I’m able to create CRLs and import them into my Firefox.

To my problem: When my webserver uses certificates which are revoked (I revoked them) I’m still able to access the site although the browser has got the newest CRL. I’ve read a lot of configs and howtos but I still don’t know the reason for this fault.
If anyone knows a good howto for my scenario or (and better) the solution for my problem please let me know. Subsequent I post some excerpt of what I’ve done so far.

Here is the OpenSSL part starting with the creation of my CA. At first the basics:
# mkdir /opt/exampleca
# cd /opt/example ca
# mkdir certs private
# chmod g-rwx,o-rwx private
# echo ‘01’ > serial
touch index.txt

Here is my openssl.cnf:
 [ ca ]
default_ca = exampleca

[ exampleca ]
dir = /opt/exampleca
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial

default_crl_days = 7
default_days = 365
default_md = md5

policy = exampleca_policy
x509_extensions = certificate_extensions

[ exampleca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName = supplied
organizationalUnitName = optional

[ certificate_extensions ]
basicConstraints = CA:false
crlDistributionPoints=URI:https://192.168.0.2/derexample.crl

[ req ]
default_bits = 2048
default_keyfile = /opt/exampleca/private/cakey.pem
default_md = md5

prompt = no
distinguished_name = root_ca_distinguished_name

x509_extensions = root_ca_extensions

[ root_ca_distinguished_name ]
commonName = Example CA
stateOrProvinceName = Virginia
countryName = US
emailAddress = ca@exampleca.org
organizationName = Root Certification Authority

[ root_ca_extensions ]
basicConstraints = CA:true


With this code I’m telling OpenSSL where to find my config file
# OPENSSL_CONF=/opt/exampleca/openssl.cnf
# OPENSSL_CONF

Generating a self-signed root certificate
# openssl req –x509 –newkey rsa –out cacert.pem –outform PEM

A look at the output of the self-signed root certificate
# openssl x509 –in cacert.pem –text –noout

Generating a certificate request
# openssl req –newkey rsa:1024 –keyout testkey.pem –keyform PEM –out testreq.pem –outform PEM

A look at the output of the certificate request
# openssl req –in testreq.pem –text –noout

Issue a certificate from a certificate request
# openssl ca –in testreq.pem

Revoke a certificate
# cp certs/01.pem testcert.pem
# openssl ca –revoke testcert.pem

Generating a CRL
# openssl ca –gencrl –out example.crl

A look at the output of the CRL
# openssl crl –in exampleca.crl –text –noout

verify the signatur of the CRL
# openssl crl –in exampleca.crl –noout –CAfile cacert.pem

transform the CRL from PEM to DER because Firefox needs DER-format
openssl crl -in example.crl –outform DER –out derexample.crl

A look at the output of the DER-CRL
openssl crl -text -noout -in derexample.crl -inform der


Now to my Apache part:

I copy the derexample.crl into the DocumentRoot of the Apache so that I can access it with https://192.168.0.2/derexample.crl
That’s probably not 100% secure but it works for now and it will be changed in the near future.

Now to the Apache configs:

- LoadModule ssl_module is included in my loadmodule.conf

- an excerpt of my default-server.conf:
<Directory „/srv/www/htdocs“>
SSLRequireSSL
Options None
AllowOverride None
Oder allow, deny
Allow from all
</Directory>

- Here is my complete ssl-global.conf:

##SSL Global Context

<IfDefine SSL>
<IfDefine !NOSSL>
<IfModule mod_ssl.c>

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin

SSLSessionCache shmcb:/var/lib/apache2/ssl_scache(512000)
SSLSessionCacheTimeout 600

SSLMutex default

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

<VirtualHost _default_:443>
ServerName 192.168.0.2:443
Errorlog /opt/exampleca/ssl_error_log
Transferlog /opt/exampleca/ssl_access_log

SSLEngine on

SSLCipherSuite HIGH:MEDIUM

SSLProtocol all

SSLCertificateFile /some/path/01.pem
SSLCertificateKeyFile /some/path/testkey.pem
SSLCertificateChainFile /some/path/cacert.pem

</VirtualHost>

</IfModule>
</IfDefine>
</IfDefine>


All the steps in OpenSSL and Apache work as far as I can say. Now follow some steps to access my site.
step 1: start the Apache with /etc/init.d/apache2 startssl
The certificate in the Apache ssl-global.conf is NOT revoked.

step 2: start Firefox 2.0.1 and call the site https://192.168.0.2
Of course you must trust the certificate.

step 3: import the CRL in the Firefox under settings-advanced-encryption. Here you can enter the URL https://192.168.0.2/derexample.crl and import the CRL

step 4: The certificate of the CA has to be imported and trusted as well.

step 5: Close Firefox and stop Apache with /etc/init.d/apache2 stop

step 6: Now I change the ssl-global.conf and enter a certificate which was revoked from me in the forefront. Of course the CRL is up to date.

step 7: new start of Apache und Firefox. The site can still be accessed although the certificate is revoked; no error message or something like that is shown. I also deleted the private internet files and the last visited pages to avoid that my site still lies somewhere in the cache.

Does anyone know why I’m still able to access this site? I’m very thankful for all comments, hints and solutions. If you need my complete configs or something else feel free to ask.

best regards domi
Reply | Threaded
Open this post in threaded view
|

Re: A problem with the use of CRLs. I'm still able to access a site although the certificate is revoked.

Goetz Babin-Ebell
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

domi wrote:
> Hello all together,
Hello Domi,

> I’m not quite sure where to post my question because I wasn’t able to locate
> my fault. So I’ll post my question in the OpenSSL-user forum and in the
> Apache http server-users forum. A similar post in a German Firefox forum
> brought no solution. Please excuse if the question doesn’t fit into this
> forum.

[...]

Thanks for the detailed information you have given.
Unfortunately most of it is quite useless in this situation ;-)

What we need is:
* The CA certificate
* The server certificate
* The CRL
* The output of
  openssl verify -CAfile CAandCRLconcatenated.pem -verbose -crl_check \
          server.pem
* The output of
  openssl s_client -verify 5 -CAfile CAandCRLconcatenated.pem -showcerts
          -connect 192.168.0.2:443


> Here is my openssl.cnf:
[...]
> [ certificate_extensions ]
> basicConstraints = CA:false
> crlDistributionPoints=URI:https://192.168.0.2/derexample.crl
Why is this https ?
The CRL is public information.
This could lead to something like:
* Browser wants to connect HTTPS on 192.168.0.2
* HTTPS on 102.168.0.2 returns cert.
* browser wants to check integrity of cert from 192.168.0.2
* browser connects HTTPS on 192.168.0.2.
* HTTPS on 192.168.0.2 returns cert.
* browser wants to check integrity of cert from 192.168.0.2
...

[...]
> Now to my Apache part:
This is useless information.
The server only supplies the CRL and uses the server cert on https
connsctions. How apache is configured to do this is not an issue here.

[...]
> step 2: start Firefox 2.0.1 and call the site https://192.168.0.2
> Of course you must trust the certificate.
But only temporarilyx for this session...

[...]
> step 7: new start of Apache und Firefox. The site can still be accessed
> although the certificate is revoked; no error message or something like that
> is shown. I also deleted the private internet files and the last visited
> pages to avoid that my site still lies somewhere in the cache.
This seems to be a browser problem.
Try to do this with a server without crlDistributionPoints extension.


Bye

Goetz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFFxiYm2iGqZUF3qPYRAiCKAJ0b8mqxTAkEPEe8ZSBfgAuhLSkbnACbBibZ
2vhm69vqndUigBcml2Qrd1Y=
=Anx5
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: A problem with the use of CRLs. I'm still able to access a site although the certificate is revoked.

domi
Hello Goetz,

again thanks for your quick answer. I think I found a solution with the help of the Apache-HTTP-Server forum. Everyone who is interested in it, take a look at http://www.nabble.com/Problem-with-revoked-certificates.-tf3169656.html
In the end I think, that it was no OpenSSL problem. But it is good to know that there is a place where I can ask my OpenSSL questions ;)

best regards domi