[users@httpd] Problem with revoked certificates.

[domi <Ke...@web.de>]

Hello all together,

I’m not quite sure where to post my question because I wasn’t able to locate
my fault. So I’ll post my question in the OpenSSL-user forum and in the
Apache http server-users forum. A similar post in a German Firefox forum
brought no solution. Please excuse if the question doesn’t fit into this
forum.

To my situation: I’m using Linux/ Suse 10.0 with an Apache 2.0.54, OpenSSL
0.9.7g. and Firefox 2.0.1. I’m the webserver and client in one person. I’ve
given my computer a static IP-adress: 192.168.0.2
I’ve built a simple Website to which I’ve got access with
https://192.168.0.2
I want to include the use of CRLs. Client certificates are no subject to me.
The Apache and OpenSSL work very fine and I’m able to create CRLs and import
them into my Firefox. 

To my problem: When my webserver uses certificates which are revoked (I
revoked them) I’m still able to access the site although the browser has got
the newest CRL. I’ve read a lot of configs and howtos but I still don’t know
the reason for this fault.
If anyone knows a good howto for my scenario or (and better) the solution
for my problem please let me know. Subsequent I post some excerpt of what
I’ve done so far.

Here is the OpenSSL part starting with the creation of my CA. At first the
basics:
# mkdir /opt/exampleca
# cd /opt/example ca
# mkdir certs private
# chmod g-rwx,o-rwx private
# echo ‘01’ > serial
touch index.txt

Here is my openssl.cnf:
 [ ca ]
default_ca 		= exampleca

[ exampleca ]
dir 			= /opt/exampleca
certificate 		= $dir/cacert.pem
database 		= $dir/index.txt
new_certs_dir 		= $dir/certs
private_key 		= $dir/private/cakey.pem
serial 			= $dir/serial

default_crl_days 	= 7
default_days 		= 365
default_md 		= md5

policy 			= exampleca_policy
x509_extensions 	= certificate_extensions

[ exampleca_policy ]
commonName 		= supplied
stateOrProvinceName 	= supplied
countryName 		= supplied
emailAddress 	= supplied
organizationName 	= supplied
organizationalUnitName 	= optional

[ certificate_extensions ]
basicConstraints 	= CA:false
crlDistributionPoints=URI:https://192.168.0.2/derexample.crl

[ req ]
default_bits 		= 2048
default_keyfile 	= /opt/exampleca/private/cakey.pem
default_md 		= md5

prompt = no
distinguished_name 	= root_ca_distinguished_name

x509_extensions 	= root_ca_extensions

[ root_ca_distinguished_name ]
commonName 		= Example CA
stateOrProvinceName 	= Virginia
countryName 		= US
emailAddress 		= ca@exampleca.org
organizationName 	= Root Certification Authority

[ root_ca_extensions ]
basicConstraints 	= CA:true


With this code I’m telling OpenSSL where to find my config file
# OPENSSL_CONF=/opt/exampleca/openssl.cnf
# OPENSSL_CONF

Generating a self-signed root certificate
# openssl req –x509 –newkey rsa –out cacert.pem –outform PEM

A look at the output of the self-signed root certificate
# openssl x509 –in cacert.pem –text –noout

Generating a certificate request
# openssl req –newkey rsa:1024 –keyout testkey.pem –keyform PEM –out
testreq.pem –outform PEM

A look at the output of the certificate request
# openssl req –in testreq.pem –text –noout

Issue a certificate from a certificate request
# openssl ca –in testreq.pem

Revoke a certificate
# cp certs/01.pem testcert.pem
# openssl ca –revoke testcert.pem

Generating a CRL
# openssl ca –gencrl –out example.crl

A look at the output of the CRL
# openssl crl –in exampleca.crl –text –noout

verify the signatur of the CRL
# openssl crl –in exampleca.crl –noout –CAfile cacert.pem

transform the CRL from PEM to DER because Firefox needs DER-format
openssl crl -in example.crl –outform DER –out derexample.crl

A look at the output of the DER-CRL
openssl crl -text -noout -in derexample.crl -inform der


Now to my Apache part:

I copy the derexample.crl into the DocumentRoot of the Apache so that I can
access it with https://192.168.0.2/derexample.crl
That’s probably not 100% secure but it works for now and it will be changed
in the near future.

Now to the Apache configs:

- LoadModule ssl_module is included in my loadmodule.conf

- an excerpt of my default-server.conf:
<Directory „/srv/www/htdocs“>
SSLRequireSSL
Options None
AllowOverride None
Oder allow, deny
Allow from all
</Directory>

- Here is my complete ssl-global.conf:

##SSL Global Context

<IfDefine SSL>
<IfDefine !NOSSL>
<IfModule mod_ssl.c>

AddType application/x-x509-ca-cert		.crt
AddType application/x-pkcs7-crl		.crl

SSLPassPhraseDialog builtin

SSLSessionCache		shmcb:/var/lib/apache2/ssl_scache(512000)
SSLSessionCacheTimeout	600

SSLMutex default

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

<VirtualHost _default_:443>
ServerName 192.168.0.2:443
Errorlog /opt/exampleca/ssl_error_log
Transferlog /opt/exampleca/ssl_access_log

SSLEngine on

SSLCipherSuite HIGH:MEDIUM

SSLProtocol all

SSLCertificateFile /some/path/01.pem
SSLCertificateKeyFile /some/path/testkey.pem
SSLCertificateChainFile /some/path/cacert.pem

</VirtualHost>

</IfModule>
</IfDefine>
</IfDefine>


All the steps in OpenSSL and Apache work as far as I can say. Now follow
some steps to access my site.
step 1: start the Apache with /etc/init.d/apache2 startssl
The certificate in the Apache ssl-global.conf is NOT revoked.

step 2: start Firefox 2.0.1 and call the site https://192.168.0.2
Of course you must trust the certificate.

step 3: import the CRL in the Firefox under settings-advanced-encryption.
Here you can enter the URL https://192.168.0.2/derexample.crl and import the
CRL

step 4: The certificate of the CA has to be imported and trusted as well.

step 5: Close Firefox and stop Apache with /etc/init.d/apache2 stop

step 6: Now I change the ssl-global.conf and enter a certificate which was
revoked from me in the forefront. Of course the CRL is up to date.

step 7: new start of Apache und Firefox. The site can still be accessed
although the certificate is revoked; no error message or something like that
is shown. I also deleted the private internet files and the last visited
pages to avoid that my site still lies somewhere in the cache.

Does anyone know why I’m still able to access this site? I’m very thankful
for all comments, hints and solutions. If you need my complete configs or
something else feel free to ask.

best regards domi

-- 
View this message in context: http://www.nabble.com/Problem-with-revoked-certificates.-tf3169656.html#a8792576
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Problem with revoked certificates.

[domi <Ke...@web.de>]

Joost wrote:

Joost de Heer wrote:
> 
> domi wrote:
> 
> [Question about CRLs]
> 
>> <VirtualHost _default_:443>
>> ServerName 192.168.0.2:443
>> Errorlog /opt/exampleca/ssl_error_log
>> Transferlog /opt/exampleca/ssl_access_log
>>
>> SSLEngine on
>>
>> SSLCipherSuite HIGH:MEDIUM
>>
>> SSLProtocol all
>>
>> SSLCertificateFile /some/path/01.pem
>> SSLCertificateKeyFile /some/path/testkey.pem
>> SSLCertificateChainFile /some/path/cacert.pem
>>
>> </VirtualHost>
> 
> You are missing a SSLCARevocationFile directive. Apache should check the
> CRL, not the browser.
> 
> Joost
> 
> 

Hello Joost,
thank you for your answer. I have a question concerning it. The definition
on http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslcarevocationfile
says the following:
<This directive sets the all-in-one file where you can assemble the
Certificate Revocation Lists (CRL) of Certification <Authorities (CA) whose
clients you deal with. These are used for Client Authentication. ...
As I understand this definition it is just for client authentication which I
don't want to deal with. (Not yet.)
Or do I misunderstand the definition?

best regards domi
-- 
View this message in context: http://www.nabble.com/Problem-with-revoked-certificates.-tf3169656.html#a8795601
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: Problem with revoked certificates.

[Joost de Heer <sa...@xs4all.nl>]

domi wrote:

[Question about CRLs]

> <VirtualHost _default_:443>
> ServerName 192.168.0.2:443
> Errorlog /opt/exampleca/ssl_error_log
> Transferlog /opt/exampleca/ssl_access_log
>
> SSLEngine on
>
> SSLCipherSuite HIGH:MEDIUM
>
> SSLProtocol all
>
> SSLCertificateFile /some/path/01.pem
> SSLCertificateKeyFile /some/path/testkey.pem
> SSLCertificateChainFile /some/path/cacert.pem
>
> </VirtualHost>

You are missing a SSLCARevocationFile directive. Apache should check the
CRL, not the browser.

Joost


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Problem with revoked certificates.

[domi <Ke...@web.de>]

Issac Goldstand wrote:
> 
>> Issac wrote:
> 
> Domi,
>   I'm happy it helped.  You can change your opinion any time you like; 
> just access Firefox's certificate store and you can view the 
> certificates you've chosen to trust, and the revocation lists.  If you 
> don't want to continue trusting a cert, based on what you see in the 
> CRL, or for any other reason, take it out of the trusted certificates
> list.
> 
>   By "trusting" the cert in the browser in the first place, you're 
> essentially telling the browser to ignore normal rules and depend on you 
> (as the human user) to determine the certificate's validity and 
> authenticity. 
> As the browser has no way of knowing why you know the certificate is 
> safe in the first place, it makes no assumptions for you as to when to 
> stop trusting it. 
> 
>   Issac
> 
> 

Hello Issac,
I just thought about it and tested a bit (before reading your last message).
I think that I made the mistake trying to access the site before importing
the CA certificate into my browser. So the browser asks me whether to trust
the certificate of my site. When I import the CA certificate in the
forefront of accessing the site the browser this question won’t come later.
I think I’ll stop here for today because I was busy on this for quite a long
time and my head feels a bit dizzy.
Tomorrow morning I’ll continue here and let you know about my progress.
All comments are welcome in the meanwhile.

best regards domi

PS: Again my thank to Issac. By the way you wrote
<You can change your opinion any time you like; just access Firefox's
certificate store and you can view the 
<certificates you've chosen to trust, and the revocation lists.
Where is this store or do you mean what you see under
settings-advanced-encryption in the browser? But I'm not able to see the
details of the CRL or is this possible?
An answer would be nice because (as I said) I'm too dizzy to search.
Otherwise I will search tomorrow one my own.


-- 
View this message in context: http://www.nabble.com/Problem-with-revoked-certificates.-tf3169656.html#a8793797
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Problem with revoked certificates.

[Issac Goldstand <ma...@beamartyr.net>]

domi wrote:
> Issac wrote:
>
>
>   
>> domi wrote:
>>     
>>> All the steps in OpenSSL and Apache work as far as I can say. Now follow
>>> some steps to access my site.
>>> step 1: start the Apache with /etc/init.d/apache2 startssl
>>> The certificate in the Apache ssl-global.conf is NOT revoked.
>>>
>>> step 2: start Firefox 2.0.1 and call the site https://192.168.0.2
>>> Of course you must trust the certificate.
>>>   
>>>       
>> I'm not a FireFox expert, but it stands to reason that if you manually 
>> trust the cert at this point, it'll continue to be "trusted" even if 
>> it's revoked later. 
>>
>> What you really want to do is browse to your root cert, import that 
>> (which will grant implicit trust to "testcert") and then try importing 
>> the CRL and see if you get any notices.
>>
>>   Issac
>>
>>
>>     
>
> Hey Issac,
>
> both thumbs up for you. After reading your post I built a new CA, created a
> new certificate, revoked it and create the CRl. Then I imported the
> certificate of the CA and afterwards the CRL.
>
> After a new start of Apache and Firefox I made my first try to access the
> new site with the new (revoked) certificate and in deed Firefox told me that
> the certificate was revoked. =) That is great and perhaps I’ll jump around
> enjoying myself for a few minutes.
>
> But that leads me to another problem. Back to my old scenario: Why does the
> trust remain forever although the certificate was revoked? I would expect
> that it is possible to trust a certificate and to alter my opinion when it
> gets revoked …
>
> Am I wrong? Have you got or anybody else out there an answer to this
> question?
>   
Domi,
  I'm happy it helped.  You can change your opinion any time you like; 
just access Firefox's certificate store and you can view the 
certificates you've chosen to trust, and the revocation lists.  If you 
don't want to continue trusting a cert, based on what you see in the 
CRL, or for any other reason, take it out of the trusted certificates list.

  By "trusting" the cert in the browser in the first place, you're 
essentially telling the browser to ignore normal rules and depend on you 
(as the human user) to determine the certificate's validity and 
authenticity. 
As the browser has no way of knowing why you know the certificate is 
safe in the first place, it makes no assumptions for you as to when to 
stop trusting it. 

  Issac

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Problem with revoked certificates.

[domi <Ke...@web.de>]

Issac wrote:


> domi wrote:
>> All the steps in OpenSSL and Apache work as far as I can say. Now follow
>> some steps to access my site.
>> step 1: start the Apache with /etc/init.d/apache2 startssl
>> The certificate in the Apache ssl-global.conf is NOT revoked.
>>
>> step 2: start Firefox 2.0.1 and call the site https://192.168.0.2
>> Of course you must trust the certificate.
>>   
> I'm not a FireFox expert, but it stands to reason that if you manually 
> trust the cert at this point, it'll continue to be "trusted" even if 
> it's revoked later. 
> 
> What you really want to do is browse to your root cert, import that 
> (which will grant implicit trust to "testcert") and then try importing 
> the CRL and see if you get any notices.
> 
>   Issac
> 
> 

Hey Issac,

both thumbs up for you. After reading your post I built a new CA, created a
new certificate, revoked it and create the CRl. Then I imported the
certificate of the CA and afterwards the CRL.

After a new start of Apache and Firefox I made my first try to access the
new site with the new (revoked) certificate and in deed Firefox told me that
the certificate was revoked. =) That is great and perhaps I’ll jump around
enjoying myself for a few minutes.

But that leads me to another problem. Back to my old scenario: Why does the
trust remain forever although the certificate was revoked? I would expect
that it is possible to trust a certificate and to alter my opinion when it
gets revoked …

Am I wrong? Have you got or anybody else out there an answer to this
question?

best regards domi

-- 
View this message in context: http://www.nabble.com/Problem-with-revoked-certificates.-tf3169656.html#a8793352
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Problem with revoked certificates.

[Issac Goldstand <ma...@beamartyr.net>]

domi wrote:
> All the steps in OpenSSL and Apache work as far as I can say. Now follow
> some steps to access my site.
> step 1: start the Apache with /etc/init.d/apache2 startssl
> The certificate in the Apache ssl-global.conf is NOT revoked.
>
> step 2: start Firefox 2.0.1 and call the site https://192.168.0.2
> Of course you must trust the certificate.
>   
I'm not a FireFox expert, but it stands to reason that if you manually 
trust the cert at this point, it'll continue to be "trusted" even if 
it's revoked later. 

What you really want to do is browse to your root cert, import that 
(which will grant implicit trust to "testcert") and then try importing 
the CRL and see if you get any notices.

  Issac

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org