You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2012/04/27 15:53:08 UTC

[Bug 53156] New: CRL validation fails if CRL is missing

https://issues.apache.org/bugzilla/show_bug.cgi?id=53156

          Priority: P2
            Bug ID: 53156
          Assignee: bugs@httpd.apache.org
           Summary: CRL validation fails if CRL is missing
          Severity: enhancement
    Classification: Unclassified
                OS: All
          Reporter: me@davidsansome.com
          Hardware: All
            Status: NEW
           Version: 2.5-HEAD
         Component: mod_ssl
           Product: Apache httpd-2

Created attachment 28688
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=28688&action=edit
Add a SSLCARevocationAllowMissing option

In Apache 2.3.15 the CRL validation behaviour was changed to fail with an
"unable to get certificate CRL" error if a client tried to connect with a
certificate that was signed by a CA that did not have a CRL configured.

I've attached a patch that adds a SSLCARevocationAllowMissing option to restore
the old behaviour.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 53156] CRL validation fails if CRL is missing

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=53156

David Sansome <me...@davidsansome.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |PatchAvailable

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 53156] CRL validation fails if CRL is missing

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=53156

Ruediger Pluem <rp...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO

--- Comment #1 from Ruediger Pluem <rp...@apache.org> ---
Why doesn't SSLCARevocationCheck none solve your problem (which is the default
value btw)?

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 53156] CRL validation fails if CRL is missing

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=53156

nada <ap...@valgronda.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |apache_bugzilla@valgronda.c
                   |                            |om

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 53156] CRL validation fails if CRL is missing

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=53156

David Sansome <me...@davidsansome.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |NEW

--- Comment #2 from David Sansome <me...@davidsansome.com> ---
If I have CRLs for some CAs in the chain but not others then
SSLCARevocationCheck none/chain will only let me either allow everything or
deny everything - I can't tell it to check the ones that I have CRLs for but
ignore the rest.

The long answer is that I'm working on an embedded appliance that uses Apache -
we want to upgrade it from 2.2 to 2.4, but some users might have already added
CRLs to their systems.  We could default the SSLCARevocationCheck option to
None, which would lower security for the people who were using CRLs, or we
could default it to Chain, which would completely lock out people who were
using client certificate checking without CRLs.  Adding this option back in
makes sure we don't break anybody.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 53156] CRL validation fails if CRL is missing

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=53156

--- Comment #3 from Kaspar Brand <as...@velox.ch> ---
There's room for improvement with regards to revocation checking settings in
mod_ssl, that's true.

Re-introducing an additional directive which restores the behavior from 2.2
seems like the wrong approach, however. Making revocation checking optional
(like the SSLCARevocationAllowMissing boolean would do) is pretty nonsensical,
IMO - either you insist on clients having an unrevoked cert or you don't.

Configuring revocation setting options basically amounts to enforcing a
security policy - that's why I added a separate CARevocationCheck directive in
r1165056 (which no longer relies on the implicit effects of
CARevocationFile/CARevocationPath as in 2.2). Instead of introducing yet
another directive, we should consider extending the syntax/options of
SSLCARevocationCheck.

One thing I was thinking about when working on r1165056 was to make revocation
checking succeed if the "unrevoked" status can be determined from either the
CRL or an OCSP response. Currently, if CRL and OCSP checking is enabled, *both*
have to succeed.

Finally, let me point out that there's an inherent issue with the proposed
patch: if mod_ssl unconditionally ignores X509_V_ERR_UNABLE_TO_GET_CRL errors
when "AllowMissing" is enabled, then it's no longer possible to reliably
enforce revocation checking for those CAs which do have CRLs (mod_ssl wouldn't
complain when the CRL can't be found, it would just silently proceed).

-- 
You are receiving this mail because:
You are the assignee for the bug.