mod_ssl & CRL verification

[Joe Orton <jo...@redhat.com>]

On Tue, Feb 26, 2008 at 04:51:40PM +0000, Dr Stephen Henson wrote:
> Well the current CRL strategy has a few problems. It ignores critical 
> extensions but that's a separate issue...

I was looking at this recently; is it still true that mod_ssl has to do 
so much of the CRL revocation checks for client certs itself (i.e. all 
of ssl_callback_SSLVerify_CRL) - it looks like X509_verify_cert() can do 
revocation checks itself if suitably configured, though maybe this is a 
recent addition?

> Many CRLs have short lifetimes and need to be updated fairly often which 
> causes problems when the server needs to be restarted each time.
...
> Well that's one strategy... another would be to use OCSP exclusively and 
> have a local OCSP responder driven by CRLs.

Right, that is exactly my view.  I think that any attempt to make 
mod_ssl treat CRLs as anything other than static files loaded once at 
startup will end up trying to reinvent OCSP badly.

If a free OCSP responder existed which actually did this maybe those 
"make CRL handling better" bug reports would go away :)

joe

Re: mod_ssl & CRL verification

[Dr Stephen Henson <sh...@oss-institute.org>]

Joe Orton wrote:
> On Tue, Feb 26, 2008 at 04:51:40PM +0000, Dr Stephen Henson wrote:
>> Well the current CRL strategy has a few problems. It ignores critical 
>> extensions but that's a separate issue...
> 
> I was looking at this recently; is it still true that mod_ssl has to do 
> so much of the CRL revocation checks for client certs itself (i.e. all 
> of ssl_callback_SSLVerify_CRL) - it looks like X509_verify_cert() can do 
> revocation checks itself if suitably configured, though maybe this is a 
> recent addition?
> 

Some enhanced CRL support in X509_verify_cert() has been in OpenSSL for 
some time (over a year).

You just need to set the relevant flags and OpenSSL will handle things.

OpenSSL 0.9.7 checks for critical CRL extensions and rejects a CRL if it 
finds any.

0.9.8 can also use key identifiers to look up CRLs.

0.9.9 also includes support for extensions like IDP for CRL 
partitioning. It also allows multiple CRLs with the same scope to appear 
in a store and uses the first valid one (likely to change that to most 
recent). There is also a form of dynamic CRL loading. The functionality 
will be extended in future.

There is a difference in the directory handling. OpenSSL doesn't make 
any distinction between certificate and CRL directories: a CRL can 
appear in a certificate directory and vice-versa.

Steve.
-- 
Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute: www.oss-institute.org
OpenSSL Core team: www.openssl.org

Re: mod_ssl & CRL verification

[Eric Covener <co...@gmail.com>]

On Tue, Feb 26, 2008 at 1:57 PM, Joe Orton <jo...@redhat.com> wrote:
>  Right, that is exactly my view.  I think that any attempt to make
>  mod_ssl treat CRLs as anything other than static files loaded once at
>  startup will end up trying to reinvent OCSP badly.
>
>  If a free OCSP responder existed which actually did this maybe those
>  "make CRL handling better" bug reports would go away :)

FWIW I have experimented with this recently and found ocspd from
openca.org was able to frontend a CRL-as-static-file
 satisfactorily (albeit for a different security library and SSL
application).  It seems to be BSD-like and gratis.

Unfortunately I stopped short of trying to frontend a CRL-over-LDAP,
but it does purport to do this as part of its core functionality.

https://www.openca.org/projects/ocspd/downloads.shtml

-- 
Eric Covener
covener@gmail.com