Certificates Revocation Lists and Apache...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I need a little help with Certificate Revocation Lists.
I did setup client certificates filtering with apache and it seem to work fine so far (used a tutorial on http://www.adone.info/?p=4, down right now).
I have a "CA" that is signing a "CA SSL".
Then, the "CA SSL" is signing the clients certificates.
Now, I am testing Certificate Revocation Lists, but apache keeps saying: "Invalid signature on CRL"
I used:
  $ openssl ca -config openssl.conf -name CA_ssl_default -revoke cassl/$CLIENTNAME.pem
  Using configuration from openssl.conf
  Enter pass phrase for cassl/private/cassl.key:
  Revoking Certificate 02.
  Data Base Updated
  $ openssl ca -config openssl.conf -name CA_ssl_default -gencrl -out cassl/crl.pem -crldays 365
  Using configuration from openssl.conf
  Enter pass phrase for /root/Certifs/cassl/private/cassl.key:
  $ # cat cassl/crl.pem
  -----BEGIN X509 CRL-----
  MIIB...
  ...
  ...v40=
  -----END X509 CRL-----

In apache logs, when the CRL file is activated in the conf:
  [debug] ssl_engine_init.c(538): Configuring client authentication
  [debug] ssl_engine_init.c(1113): CA certificate: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain
  [debug] ssl_engine_init.c(601): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW]
  [debug] ssl_engine_init.c(626): Configuring certificate revocation facility
  [debug] ssl_engine_init.c(729): Configuring RSA server certificate
  [debug] ssl_engine_init.c(768): Configuring RSA server private key

When I try to connect with a revoked (or unrevoked) certificate, I get:
 
[debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 2,
subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer:
/C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain
  [debug]
ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD,
CN=myhost.mydomain, lastUpdate: Nov  4 14:39:36 2009 GMT, nextUpdate:
Nov  4 14:39:36 2010 GMT
  [warn] Invalid signature on CRL
  [error] Certificate Verification: Error (8): CRL signature failure
  [debug] ssl_engine_kernel.c(1779): OpenSSL: Write: SSLv3 read client certificate B
  [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B
  [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B
  [info] [client 192.168.16.23] SSL library error 1 in handshake (server myhost.mydomain:12345)
  [info] SSL Library Error: 67567722 error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
  [info] SSL Library Error: 67530866 error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed
  [info] SSL Library Error: 218910726 error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib
  [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
  [info] [client 192.168.16.23] Connection closed to child 0 with abortive shutdown (server myhost.mydomain:12345)

Also, at one point, I got a "data too large":
  [warn] Invalid signature on CRL
  [error] Certificate Verification: Error (8): CRL signature failure
  [debug] ssl_engine_kernel.c(1779): OpenSSL: Write: SSLv3 read client certificate B
  [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B
  [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B
  [info] [client 192.168.16.23] SSL library error 1 in handshake (server myhost.mydomain:12345)
  [info] SSL Library Error: 67530884 error:04067084:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus
  [info] SSL Library Error: 218910726 error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib
  [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
  [info] [client 192.168.16.23] Connection closed to child 0 with abortive shutdown (server myhost.mydomain:12345)
I reduced my CA and CASSL keys from 2048 down to 1024... not sure if it helped, but I don't have this error anymore...

How can I check if the crl.pem file is ok?
  $ openssl crl -in cassl/crl.pem -text
  Certificate Revocation List (CRL):
          Version 1 (0x0)
          Signature Algorithm: sha1WithRSAEncryption
          Issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain
          Last Update: Nov  4 14:39:36 2009 GMT
          Next Update: Nov  4 14:39:36 2010 GMT
  Revoked Certificates:
      Serial Number: 02
          Revocation Date: Nov  4 14:37:03 2009 GMT
      Signature Algorithm: sha1WithRSAEncryption
          03:...
          ...
          ...:8d
  -----BEGIN X509 CRL-----
  MIIB...
  ...
  ...v40=
  -----END X509 CRL-----

Any idea what I am doing wrong?
I was pointed to this bug https://issues.apache.org/bugzilla/show_bug.cgi?id=45708 but I don't think it applies to me.
My tests are pretty simple: clean state, generate CA/CASSL/clients certificates, generate crl, crl verify fails.
No changes in between...

Thx,
JD


      

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux