|

Computer Security

»

Encryption and Cryptography

»

»

Certificate Revocation Lists and Apache...

View: New views

3 Messages — Rating Filter: Alert me

	Certificate Revocation Lists and Apache... by John Doe-44 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, I need a little help with Certificate Revocation Lists. I did setup client certificates filtering with apache and it seem to work fine so far (used a tutorial on http://www.adone.info/?p=4, down right now). I have a "CA" that is signing a "CA SSL". Then, the "CA SSL" is signing the clients certificates. Now, I am testing Certificate Revocation Lists, but apache keeps saying: "Invalid signature on CRL" I used: $ openssl ca -config openssl.conf -name CA_ssl_default -revoke cassl/$CLIENTNAME.pem Using configuration from openssl.conf Enter pass phrase for cassl/private/cassl.key: Revoking Certificate 02. Data Base Updated $ openssl ca -config openssl.conf -name CA_ssl_default -gencrl -out cassl/crl.pem -crldays 365 Using configuration from openssl.conf Enter pass phrase for /root/Certifs/cassl/private/cassl.key: $ # cat cassl/crl.pem -----BEGIN X509 CRL----- MIIB... ... ...v40= -----END X509 CRL----- In apache logs, when the CRL file is activated in the conf: [debug] ssl_engine_init.c(538): Configuring client authentication [debug] ssl_engine_init.c(1113): CA certificate: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain [debug] ssl_engine_init.c(601): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW] [debug] ssl_engine_init.c(626): Configuring certificate revocation facility [debug] ssl_engine_init.c(729): Configuring RSA server certificate [debug] ssl_engine_init.c(768): Configuring RSA server private key When I try to connect with a revoked (or unrevoked) certificate, I get: [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 2, subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain [debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD, CN=myhost.mydomain, lastUpdate: Nov 4 14:39:36 2009 GMT, nextUpdate: Nov 4 14:39:36 2010 GMT [warn] Invalid signature on CRL [error] Certificate Verification: Error (8): CRL signature failure [debug] ssl_engine_kernel.c(1779): OpenSSL: Write: SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [info] [client 192.168.16.23] SSL library error 1 in handshake (server myhost.mydomain:12345) [info] SSL Library Error: 67567722 error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 [info] SSL Library Error: 67530866 error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed [info] SSL Library Error: 218910726 error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [info] [client 192.168.16.23] Connection closed to child 0 with abortive shutdown (server myhost.mydomain:12345) Also, at one point, I got a "data too large": [warn] Invalid signature on CRL [error] Certificate Verification: Error (8): CRL signature failure [debug] ssl_engine_kernel.c(1779): OpenSSL: Write: SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [info] [client 192.168.16.23] SSL library error 1 in handshake (server myhost.mydomain:12345) [info] SSL Library Error: 67530884 error:04067084:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus [info] SSL Library Error: 218910726 error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [info] [client 192.168.16.23] Connection closed to child 0 with abortive shutdown (server myhost.mydomain:12345) I reduced my CA and CASSL keys from 2048 down to 1024... not sure if it helped, but I don't have this error anymore... How can I check if the crl.pem file is ok? $ openssl crl -in cassl/crl.pem -text Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain Last Update: Nov 4 14:39:36 2009 GMT Next Update: Nov 4 14:39:36 2010 GMT Revoked Certificates: Serial Number: 02 Revocation Date: Nov 4 14:37:03 2009 GMT Signature Algorithm: sha1WithRSAEncryption 03:... ... ...:8d -----BEGIN X509 CRL----- MIIB... ... ...v40= -----END X509 CRL----- I also tried all sorts of verify combos, but all fail: $ openssl verify -verbose -config openssl.conf -purpose crlsign -crl_check cassl/crl.pem usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ... $ openssl verify -verbose -CApath cassl/ -purpose crlsign -crl_check cassl/crl.pem unable to load certificate 9605:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE $ openssl verify -verbose -CAfile cassl/cassl.pem -purpose crlsign -crl_check cassl/crl.pem unable to load certificate 9606:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE Any idea what I am doing wrong? Thx, JD ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@...
	Re: Certificate Revocation Lists and Apache... by Lou Picciano :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. We were getting the no certificate returned error when signing the cert with the notAfter field (this was in a PostgreSQL context, if it matters). The -verify command reported: error 14 at 0 depth lookup:format error in certificate's notAfter field re-signing the cert with the -days x option instead of notAfter solved that one... Also - and you may not believe this response - have you re-started Apache? There's been quite a lot of chatter on various lists about the need to restart - refresh won't do, apparently. We had been assuming that mod_ssl would (should?) re-read the CRL once a handshake begins, but apparently it doesn't! (Bigger brains: please correct if I'm wrong about this). There are good arguments on both sides of that conversation but, nonetheless, it creates a housekeeping issue. Let us know how you get on... Lou ----- Original Message ----- From: "John Doe" <jdmls@...> To: openssl-users@... Sent: Wednesday, November 4, 2009 10:27:32 AM GMT -05:00 US/Canada Eastern Subject: Certificate Revocation Lists and Apache... Hi, I need a little help with Certificate Revocation Lists. I did setup client certificates filtering with apache and it seem to work fine so far (used a tutorial on http://www.adone.info/?p=4, down right now). I have a "CA" that is signing a "CA SSL". Then, the "CA SSL" is signing the clients certificates. Now, I am testing Certificate Revocation Lists, but apache keeps saying: "Invalid signature on CRL" I used: $ openssl ca -config openssl.conf -name CA_ssl_default -revoke cassl/$CLIENTNAME.pem Using configuration from openssl.conf Enter pass phrase for cassl/private/cassl.key: Revoking Certificate 02. Data Base Updated $ openssl ca -config openssl.conf -name CA_ssl_default -gencrl -out cassl/crl.pem -crldays 365 Using configuration from openssl.conf Enter pass phrase for /root/Certifs/cassl/private/cassl.key: $ # cat cassl/crl.pem -----BEGIN X509 CRL----- MIIB... ... ...v40= -----END X509 CRL----- In apache logs, when the CRL file is activated in the conf: [debug] ssl_engine_init.c(538): Configuring client authentication [debug] ssl_engine_init.c(1113): CA certificate: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain [debug] ssl_engine_init.c(601): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW] [debug] ssl_engine_init.c(626): Configuring certificate revocation facility [debug] ssl_engine_init.c(729): Configuring RSA server certificate [debug] ssl_engine_init.c(768): Configuring RSA server private key When I try to connect with a revoked (or unrevoked) certificate, I get: [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 2, subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain [debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD, CN=myhost.mydomain, lastUpdate: Nov 4 14:39:36 2009 GMT, nextUpdate: Nov 4 14:39:36 2010 GMT [warn] Invalid signature on CRL [error] Certificate Verification: Error (8): CRL signature failure [debug] ssl_engine_kernel.c(1779): OpenSSL: Write: SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [info] [client 192.168.16.23] SSL library error 1 in handshake (server myhost.mydomain:12345) [info] SSL Library Error: 67567722 error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 [info] SSL Library Error: 67530866 error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed [info] SSL Library Error: 218910726 error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [info] [client 192.168.16.23] Connection closed to child 0 with abortive shutdown (server myhost.mydomain:12345) Also, at one point, I got a "data too large": [warn] Invalid signature on CRL [error] Certificate Verification: Error (8): CRL signature failure [debug] ssl_engine_kernel.c(1779): OpenSSL: Write: SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [info] [client 192.168.16.23] SSL library error 1 in handshake (server myhost.mydomain:12345) [info] SSL Library Error: 67530884 error:04067084:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus [info] SSL Library Error: 218910726 error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [info] [client 192.168.16.23] Connection closed to child 0 with abortive shutdown (server myhost.mydomain:12345) I reduced my CA and CASSL keys from 2048 down to 1024... not sure if it helped, but I don't have this error anymore... How can I check if the crl.pem file is ok? $ openssl crl -in cassl/crl.pem -text Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain Last Update: Nov 4 14:39:36 2009 GMT Next Update: Nov 4 14:39:36 2010 GMT Revoked Certificates: Serial Number: 02 Revocation Date: Nov 4 14:37:03 2009 GMT Signature Algorithm: sha1WithRSAEncryption 03:... ... ...:8d -----BEGIN X509 CRL----- MIIB... ... ...v40= -----END X509 CRL----- I also tried all sorts of verify combos, but all fail: $ openssl verify -verbose -config openssl.conf -purpose crlsign -crl_check cassl/crl.pem usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ... $ openssl verify -verbose -CApath cassl/ -purpose crlsign -crl_check cassl/crl.pem unable to load certificate 9605:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE $ openssl verify -verbose -CAfile cassl/cassl.pem -purpose crlsign -crl_check cassl/crl.pem unable to load certificate 9606:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE Any idea what I am doing wrong? Thx, JD ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@...
	Re: Certificate Revocation Lists and Apache... by John Doe-44 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message From: Lou Picciano <loupicciano@...> >We were getting the no certificate returned error when signing the cert with the notAfter field (this was in a PostgreSQL context, if it matters). >The -verify command reported: >error 14 at 0 depth lookup:format error in certificate's notAfter field >re-signing the cert with the -days x option instead of notAfter solved that one... I tried this and it seems to work: $ openssl crl -in cassl/crl.pem -CAfile cassl/cassl.pem verify OK -----BEGIN X509 CRL----- MII... ... ...6U= -----END X509 CRL----- > Also - and you may not believe this response - have you re-started Apache? I do restart it. Basicaly, here's my tests: 1. Delete everything. 2. Generate CA, CASSL signed, serverssl signed. 3. copy serverssl certs/key to apache and restart it (crl disabled). 4. Generate/sign with CASSL client1 and client2 certs. 5. Connect to apache without client certs. Fails as expected. 6. Connect to apache with client certs. Works. 7. Revoke client1 and copy crl to apache and restart it (crl enabled). 8. Connect to apache with client1 or 2 certs. Both fail (in fact the crl fails). 9. restart apache (crl disabled). 10. Connect to apache with client certs. Works. So the CRL error blocks everything... Thx, JD ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@...