You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Falco Schwarz <hi...@falco.me> on 2014/02/04 19:16:41 UTC
mod_ssl-2.4.x-certkeyfile and OCSPStapling
After playing around a bit more with this patch, I discovered that OCSPStapling cannot get the issuer certificate if you use only the SSLCertificateFile directive. It works if you specify SSLCertificateChainFile, though.
Error only using SSLCertificateFile:
2014-02-04 19:07:13 [ssl|error] AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate!
2014-02-04 19:07:13 [ssl|error] AH02567: Unable to configure certificate foo.bar:443:0 for stapling
RE: mod_ssl-2.4.x-certkeyfile and OCSPStapling
Posted by Falco Schwarz <hi...@falco.me>.
> the information for OCSP stapling is in the "SSLCertificateChainFile" by definition
> http://en.wikipedia.org/wiki/OCSP_stapling
I know that. It cannot however be there if one is trying to deprecate this Directive as of https://svn.apache.org/r1553824
Re: mod_ssl-2.4.x-certkeyfile and OCSPStapling
Posted by Daniel Kahn Gillmor <dk...@fifthhorseman.net>.
On 02/05/2014 02:44 AM, Kaspar Brand wrote:
> On 05.02.2014 08:25, Brian Smith wrote:
>> It would be possible for a server to fetch and staple the OCSP
>> response only using the information from the server's end-entity
>> certificate.
>
> Actually no - you can't properly fill in the CertID for the request
> otherwise. From RFC 6960:
>
>> Request ::= SEQUENCE {
>> reqCert CertID,
>> singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
>>
>> CertID ::= SEQUENCE {
>> hashAlgorithm AlgorithmIdentifier,
>> issuerNameHash OCTET STRING, -- Hash of issuer's DN
>> issuerKeyHash OCTET STRING, -- Hash of issuer's public key
>> serialNumber CertificateSerialNumber }
>>
>
> and
>
>> o issuerKeyHash is the hash of the issuer's public key. The hash
>> shall be calculated over the value (excluding tag and length) of
>> the subject public key field in the issuer's certificate.
>
> (relying on the end-entity's AKID extension isn't reliable enough - even
> if it is present, it doesn't necessarily have to be a hash over the
> issuer's public key, that's only a recommendation in RFC 5280 section
> 4.2.1.2)
furthermore, there are good arguments to be made that the recommendation
in RFC 5280 for the Key ID is actually a bad recommendation, since
hashing only the SPK doesn't include the algorithm identifier itself
(which would be included if the hash was over the full SPKI instead).
I don't have a concrete attack sorted out, but i can imagine two
separate algorithms which use the same octet string for their SPK, which
result in radically OCSP or other behavior, similar to
Mavrogiannopoulos' cross-protocol attack (which misinterpreted data
across different forms of DHE):
http://www.cosic.esat.kuleuven.be/publications/article-2216.pdf
--dkg
Re: mod_ssl-2.4.x-certkeyfile and OCSPStapling
Posted by Kaspar Brand <ht...@velox.ch>.
On 05.02.2014 08:25, Brian Smith wrote:
> It would be possible for a server to fetch and staple the OCSP
> response only using the information from the server's end-entity
> certificate.
Actually no - you can't properly fill in the CertID for the request
otherwise. From RFC 6960:
> Request ::= SEQUENCE {
> reqCert CertID,
> singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
>
> CertID ::= SEQUENCE {
> hashAlgorithm AlgorithmIdentifier,
> issuerNameHash OCTET STRING, -- Hash of issuer's DN
> issuerKeyHash OCTET STRING, -- Hash of issuer's public key
> serialNumber CertificateSerialNumber }
>
and
> o issuerKeyHash is the hash of the issuer's public key. The hash
> shall be calculated over the value (excluding tag and length) of
> the subject public key field in the issuer's certificate.
(relying on the end-entity's AKID extension isn't reliable enough - even
if it is present, it doesn't necessarily have to be a hash over the
issuer's public key, that's only a recommendation in RFC 5280 section
4.2.1.2)
Kaspar
Re: mod_ssl-2.4.x-certkeyfile and OCSPStapling
Posted by Brian Smith <br...@briansmith.org>.
On Tue, Feb 4, 2014 at 10:25 AM, Reindl Harald <h....@thelounge.net> wrote:
> Am 04.02.2014 19:16, schrieb Falco Schwarz:
>> After playing around a bit more with this patch, I discovered that OCSPStapling cannot get the issuer certificate if you use only the SSLCertificateFile directive. It works if you specify SSLCertificateChainFile, though.
>>
>> Error only using SSLCertificateFile:
>> 2014-02-04 19:07:13 [ssl|error] AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate!
>> 2014-02-04 19:07:13 [ssl|error] AH02567: Unable to configure certificate foo.bar:443:0 for stapling
>
> the information for OCSP stapling is in the "SSLCertificateChainFile" by definition
> http://en.wikipedia.org/wiki/OCSP_stapling
It would be possible for a server to fetch and staple the OCSP
response only using the information from the server's end-entity
certificate. However, it is important that the server verify that the
OCSP response is valid for the end-entity certificate, and it cannot
do that without the issuing certificate. In particular, the server
needs to verify that the OCSP response was signed (perhaps indirectly)
by the issuing certificate.
Cheers,
Brian
--
Mozilla Networking/Crypto/Security (Necko/NSS/PSM)
Re: mod_ssl-2.4.x-certkeyfile and OCSPStapling
Posted by Reindl Harald <h....@thelounge.net>.
Am 04.02.2014 19:16, schrieb Falco Schwarz:
> After playing around a bit more with this patch, I discovered that OCSPStapling cannot get the issuer certificate if you use only the SSLCertificateFile directive. It works if you specify SSLCertificateChainFile, though.
>
> Error only using SSLCertificateFile:
> 2014-02-04 19:07:13 [ssl|error] AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate!
> 2014-02-04 19:07:13 [ssl|error] AH02567: Unable to configure certificate foo.bar:443:0 for stapling
the information for OCSP stapling is in the "SSLCertificateChainFile" by definition
http://en.wikipedia.org/wiki/OCSP_stapling
RE: mod_ssl-2.4.x-certkeyfile and OCSPStapling
Posted by Falco Schwarz <hi...@falco.me>.
----------------------------------------
> Date: Wed, 5 Feb 2014 18:59:18 +0000
> From: shenson@opensslfoundation.com
>
> Ugh, messed up. Should be fixed now.
>
> Steve.
Yes, it is working now. Thank you.
Re: mod_ssl-2.4.x-certkeyfile and OCSPStapling
Posted by Dr Stephen Henson <sh...@opensslfoundation.com>.
On 05/02/2014 18:32, Falco Schwarz wrote:
>> I've just added this though in a slightly different way. Please test the next
>> snapshot or just pull the latest 1.0.2 branch from git.
>
>
> Just pulled the latest 1.0.2 branch from git and recompiled OpenSSL / httpd.
> I cannot get Stapling to work, though.
>
> 2014-02-05 18:52:56 foo.bar [mpm_prefork|notice] AH00169: caught SIGTERM, shutting down
> 2014-02-05 18:53:01 foo.bar [ssl|error] AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate!
> 2014-02-05 18:53:01 foo.bar [ssl|error] AH: Unable to configure certificate foo.bar:443:0 for stapling
> 2014-02-05 18:53:01 foo.bar [ssl|error] AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate!
> 2014-02-05 18:53:01 foo.bar [ssl|error] AH: Unable to configure certificate foo.bar:443:0 for stapling
>
>
> + if (parg == NULL && larg == 0)
> + *(STACK_OF(X509) **)parg = ctx->cert->key->chain;
>
> In theory, I cannot find an error in your change though.
> Kaspar, do you have an idea?
>
Ugh, messed up. Should be fixed now.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com
RE: mod_ssl-2.4.x-certkeyfile and OCSPStapling
Posted by Falco Schwarz <hi...@falco.me>.
> I've just added this though in a slightly different way. Please test the next
> snapshot or just pull the latest 1.0.2 branch from git.
Just pulled the latest 1.0.2 branch from git and recompiled OpenSSL / httpd.
I cannot get Stapling to work, though.
2014-02-05 18:52:56 foo.bar [mpm_prefork|notice] AH00169: caught SIGTERM, shutting down
2014-02-05 18:53:01 foo.bar [ssl|error] AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate!
2014-02-05 18:53:01 foo.bar [ssl|error] AH: Unable to configure certificate foo.bar:443:0 for stapling
2014-02-05 18:53:01 foo.bar [ssl|error] AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate!
2014-02-05 18:53:01 foo.bar [ssl|error] AH: Unable to configure certificate foo.bar:443:0 for stapling
+ if (parg == NULL && larg == 0)
+ *(STACK_OF(X509) **)parg = ctx->cert->key->chain;
In theory, I cannot find an error in your change though.
Kaspar, do you have an idea?
Re: mod_ssl-2.4.x-certkeyfile and OCSPStapling
Posted by Dr Stephen Henson <sh...@opensslfoundation.com>.
On 05/02/2014 16:44, Falco Schwarz wrote:
>> I assume that you are using (a snapshot of) OpenSSL 1.0.2, is that correct?
>
> Yes, I was using a nightly snapshot of OpenSSL 1.0.2
>
I've just added this though in a slightly different way. Please test the next
snapshot or just pull the latest 1.0.2 branch from git.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com
RE: mod_ssl-2.4.x-certkeyfile and OCSPStapling
Posted by Falco Schwarz <hi...@falco.me>.
> I assume that you are using (a snapshot of) OpenSSL 1.0.2, is that correct?
Yes, I was using a nightly snapshot of OpenSSL 1.0.2
> Falco, can you confirm that applying one of the attached patches solves
> the problem for you?
I have tested both patches separately, each of them solves the problem.
Re: mod_ssl-2.4.x-certkeyfile and OCSPStapling
Posted by Dr Stephen Henson <sh...@opensslfoundation.com>.
On 05/02/2014 07:17, Kaspar Brand wrote:
>
> There are two ways to address the issue: either in mod_ssl, or in
> OpenSSL. I'm not sure which one is preferrable, but Mr. OpenSSL will
> hopefully tell us... (Steve: in theory, modifying the behavior of
> SSL_CTX_get_extra_chain_certs should be acceptable, given that only
> SSL_CTX_get0_chain_certs is documented, what do you think?)
>
In OpenSSL a function being undocumented is no guarantee something wont call it ;-)
It's not totally clear cut.
With that change an application can no longer obtain the extra_chain_certs only
and get NULL if there aren't any. However an application which is explicitly
using per-certificate chains shouldn't be using the extra_chain_certs anyway.
OTOH an existing application could uses SSL_CTX_use_certificate_chain_file and
then try to retrieve extra chain certificates using
SSL_CTX_get_extra_chain_certs. With the 1.0.2 changes to
SSL_CTX_use_certificate_chain_file that would fail in 1.0.2 without that change.
On balance I think that change should go in OpenSSL. I'll hear soon enough if it
breaks anything...
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com
Re: mod_ssl-2.4.x-certkeyfile and OCSPStapling
Posted by Kaspar Brand <ht...@velox.ch>.
On 04.02.2014 19:16, Falco Schwarz wrote:
> After playing around a bit more with this patch, I discovered that OCSPStapling cannot get the issuer certificate if you use only the SSLCertificateFile directive. It works if you specify SSLCertificateChainFile, though.
>
> Error only using SSLCertificateFile:
> 2014-02-04 19:07:13 [ssl|error] AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate!
> 2014-02-04 19:07:13 [ssl|error] AH02567: Unable to configure certificate foo.bar:443:0 for stapling
I assume that you are using (a snapshot of) OpenSSL 1.0.2, is that correct?
If so, it's actually a side effect of supporting per-certificate chains
with that future (not yet released) OpenSSL version.
There are two ways to address the issue: either in mod_ssl, or in
OpenSSL. I'm not sure which one is preferrable, but Mr. OpenSSL will
hopefully tell us... (Steve: in theory, modifying the behavior of
SSL_CTX_get_extra_chain_certs should be acceptable, given that only
SSL_CTX_get0_chain_certs is documented, what do you think?)
Falco, can you confirm that applying one of the attached patches solves
the problem for you?
Kaspar