Hi,
already asked in the openssl mailing list, but just in case you already went through this... I need a little help with Certificate Revocation Lists. I did setup client certificates filtering with apache and it seem to work fine so far (used a tutorial on http://www.adone.info/?p=4, down right now). I have a "CA" that is signing a "CA SSL". Then, the "CA SSL" is signing the clients certificates. Now, I am testing Certificate Revocation Lists, but apache keeps saying: "Invalid signature on CRL" I used: $ openssl ca -config openssl.conf -name CA_ssl_default -revoke cassl/$CLIENTNAME.pem Using configuration from openssl.conf Enter pass phrase for cassl/private/cassl.key: Revoking Certificate 02. Data Base Updated $ openssl ca -config openssl.conf -name CA_ssl_default -gencrl -out cassl/crl.pem -crldays 365 Using configuration from openssl.conf Enter pass phrase for /root/Certifs/cassl/private/cassl.key: $ # cat cassl/crl.pem -----BEGIN X509 CRL----- MIIB... ... ...v40= -----END X509 CRL-----
In apache logs, when the CRL file is activated in the conf: [debug] ssl_engine_init.c(538): Configuring client authentication [debug] ssl_engine_init.c(1113): CA certificate: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain [debug] ssl_engine_init.c(601): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW] [debug] ssl_engine_init.c(626): Configuring certificate revocation facility [debug] ssl_engine_init.c(729): Configuring RSA server certificate [debug] ssl_engine_init.c(768): Configuring RSA server private key
When I try to connect with a revoked (or unrevoked) certificate, I get: [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 2, subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain [debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD, CN=myhost.mydomain, lastUpdate: Nov 4 14:39:36 2009 GMT, nextUpdate: Nov 4 14:39:36 2010 GMT [warn] Invalid signature on CRL [error] Certificate Verification: Error (8): CRL signature failure [debug] ssl_engine_kernel.c(1779): OpenSSL: Write: SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [info] [client 192.168.16.23] SSL library error 1 in handshake (server myhost.mydomain:12345) [info] SSL Library Error: 67567722 error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 [info] SSL Library Error: 67530866 error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed [info] SSL Library Error: 218910726 error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [info] [client 192.168.16.23] Connection closed to child 0 with abortive shutdown (server myhost.mydomain:12345)
Also, at one point, I got a "data too large": [warn] Invalid signature on CRL [error] Certificate Verification: Error (8): CRL signature failure [debug] ssl_engine_kernel.c(1779): OpenSSL: Write: SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [info] [client 192.168.16.23] SSL library error 1 in handshake (server myhost.mydomain:12345) [info] SSL Library Error: 67530884 error:04067084:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus [info] SSL Library Error: 218910726 error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [info] [client 192.168.16.23] Connection closed to child 0 with abortive shutdown (server myhost.mydomain:12345) I reduced my CA and CASSL keys from 2048 down to 1024... not sure if it helped, but I don't have this error anymore...
How can I check if the crl.pem file is ok? $ openssl crl -in cassl/crl.pem -text Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain Last Update: Nov 4 14:39:36 2009 GMT Next Update: Nov 4 14:39:36 2010 GMT Revoked Certificates: Serial Number: 02 Revocation Date: Nov 4 14:37:03 2009 GMT Signature Algorithm: sha1WithRSAEncryption 03:... ... ...:8d -----BEGIN X509 CRL----- MIIB... ... ...v40= -----END X509 CRL-----
I also tried all sorts of verify combos, but all fail: $ openssl verify -verbose -config openssl.conf -purpose crlsign -crl_check cassl/crl.pem usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ... $ openssl verify -verbose -CApath cassl/ -purpose crlsign -crl_check cassl/crl.pem unable to load certificate 9605:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE $ openssl verify -verbose -CAfile cassl/cassl.pem -purpose crlsign -crl_check cassl/crl.pem unable to load certificate 9606:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
Any idea what I am doing wrong?
Thx, JD
John Doe wrote:
[warn] Invalid signature on CRL [error] Certificate Verification: Error (8): CRL signature failure
Any relation to this? https://issues.apache.org/bugzilla/show_bug.cgi?id=45708
I've worked with a lot of ssl stuff in apache but have never touched CRL before.
Interestingly enough I found last year that some of verisign's CRLs weren't built to scale, one of our customers put some content on their site that pointed back to us, which then triggered a call to the CRL for those people using IE and Symantec anti virus(which turned on the CRL option in IE), the site was a very high traffic site and the customers routinely got errors from the CRL site because it was overloaded with requests.
So few use CRL, I really don't see the benefit, but I suppose in really controlled environments it could be useful(just not to me).
nate
From: nate centos@linuxpowered.net
Any relation to this? https://issues.apache.org/bugzilla/show_bug.cgi?id=45708
I don't think so; my tests are quite simple: - Start from clean state ( - Generate CA certificate
- Generate CASSL certificate signed by CA - Generate Client Certificate signed by CASSL - Generate Revocation Certificate signed by CASSL All the steps are in one go (no changes of any kind in between). In my tests, I am only using one crl file with one revocation certificate. Tried the revocationpath and it did nothing at all for me...
So few use CRL, I really don't see the benefit, but I suppose in really controlled environments it could be useful(just not to me).
The goal is to be able to distribute client certificates to filter web access to certain resources. But we also need a way to revoke such access in the future if needed. Lets say someone lost his laptop with his certificate or he became an evil hacker or he just left the company... We need to disable his certificate, instead of having to regenerate the CASSL certificate and all the clients certificates... or wait for it to expire...
Thx, JD
John Doe wrote:
The goal is to be able to distribute client certificates to filter web access to certain resources.
How about using just basic user names and passwords? Seems a lot simpler. Client certs can really make things messy and complicated, I worked with them a bunch several years ago, ENDLESS headaches, and we weren't using CRL formally at least, the application had a sort of CRL built into it, where we specifically registered certain CN's with the app, and apache just acted as a pass through mechanism to the app(which was java/tomcat).
http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html
nate
On Wed, 4 Nov 2009, John Doe wrote:
already asked in the openssl mailing list, but just in case you already went through this... I need a little help with Certificate Revocation Lists. I did setup client certificates filtering with apache and it seem to work fine so far (used a tutorial on http://www.adone.info/?p=4, down right now). I have a "CA" that is signing a "CA SSL". Then, the "CA SSL" is signing the clients certificates.
Now, I am testing Certificate Revocation Lists, but apache keeps saying: "Invalid signature on CRL"
I used: $ openssl ca -config openssl.conf -name CA_ssl_default -revoke cassl/$CLIENTNAME.pem [....] $ openssl ca -config openssl.conf -name CA_ssl_default -gencrl -out cassl/crl.pem -crldays 365
So far so good.
When I try to connect with a revoked (or unrevoked) certificate, I get: [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 2, subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain [debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD, CN=myhost.mydomain, lastUpdate: Nov 4 14:39:36 2009 GMT, nextUpdate: Nov 4 14:39:36 2010 GMT [warn] Invalid signature on CRL [error] Certificate Verification: Error (8): CRL signature failure
Does your "CA SSL" certificate have its CRL signing bit set?
openssl x509 -noout -purpose -in yourcert.pem | grep CRL
Also, there's an Apache bug that fouls things up if the "CA" and "CA SSL" root certificates both have the same CN:
https://issues.apache.org/bugzilla/show_bug.cgi?id=45708
How can I check if the crl.pem file is ok? $ openssl crl -in cassl/crl.pem -text [...]
This is the best way, and it looks as if things are OK.
I also tried all sorts of verify combos, but all fail: $ openssl verify -verbose -config openssl.conf -purpose crlsign -crl_check cassl/crl.pem
The 'verify' option is only good for certifcates, not CRLs. It's also worth noting that the 'verify' option doesn't do any CRL checking. Grep for 'CRL' in the DIAGNOSTICS section of the verify(1) man page and you'll see a lot of 'unused' notes.
From: Paul Heinlein heinlein@madboa.com
When I try to connect with a revoked (or unrevoked) certificate, I get: [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 2,
subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain
[debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD,
CN=myhost.mydomain, lastUpdate: Nov 4 14:39:36 2009 GMT, nextUpdate: Nov 4 14:39:36 2010 GMT
[warn] Invalid signature on CRL [error] Certificate Verification: Error (8): CRL signature failure
Does your "CA SSL" certificate have its CRL signing bit set? openssl x509 -noout -purpose -in yourcert.pem | grep CRL
$ openssl x509 -noout -purpose -in cassl/cassl.pem | grep CRL CRL signing : Yes CRL signing CA : Yes
Also:
$ openssl crl -in cassl/crl.pem -CAfile cassl/cassl.pem verify OK -----BEGIN X509 CRL----- MII... ... ...VQ= -----END X509 CRL-----
Also, there's an Apache bug that fouls things up if the "CA" and "CA SSL" root certificates both have the same CN: https://issues.apache.org/bugzilla/show_bug.cgi?id=45708
Hum.. that might be the case... They must all use 'myhost.mydomain' as CN... Do you know how to specify different CNs in a common openssl.conf file? Here's my openssl.conf:
[ ca ] default_ca = CA_default
[ CA_default ] dir = /etc/certs certs = $dir/ca/certs new_certs_dir = $dir/ca/newcerts database = $dir/ca/index certificate = $dir/ca/ca.pem serial = $dir/ca/serial private_key = $dir/ca/private/ca.key default_days = 3652 default_md = sha1 preserve = no policy = policy_match
[ CA_ssl_default ] dir = /root/Certifs certs = $dir/cassl/certs new_certs_dir = $dir/cassl/newcerts new_certs_dir = $dir/cassl/newcerts database = $dir/cassl/index certificate = $dir/cassl/cassl.pem serial = $dir/cassl/serial private_key = $dir/cassl/private/cassl.key default_days = 3652 default_md = sha1 preserve = no policy = policy_match
[ policy_match ] countryName = match stateOrProvinceName = match localityName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional
[ req ] distinguished_name = req_distinguished_name
[ req_distinguished_name ] countryName = Country countryName_default = AA stateOrProvinceName = State stateOrProvinceName_default = BB localityName = Locality localityName_default = CC organizationName = Organization organizationName_default = DD commonName = CN commonName_default = myhost.mydomain commonName_max = 64 emailAddress = Email Address emailAddress_max = 40
[CA_ROOT] nsComment = "CA Root" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always basicConstraints = critical,CA:TRUE,pathlen:1 keyUsage = keyCertSign, cRLSign
[CA_SSL] nsComment = "CA SSL" basicConstraints = critical,CA:TRUE,pathlen:0 subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always issuerAltName = issuer:copy keyUsage = keyCertSign, cRLSign nsCertType = sslCA
[SERVER_RSA_SSL] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always issuerAltName = issuer:copy subjectAltName = DNS:myhost.mydomain basicConstraints = critical,CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment nsCertType = server extendedKeyUsage = serverAuth
[CLIENT_RSA_SSL] nsComment = "Certificat Client SSL" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always issuerAltName = issuer:copy subjectAltName = critical,email:copy,email:info@mydomain basicConstraints = critical,CA:FALSE keyUsage = digitalSignature, nonRepudiation nsCertType = client extendedKeyUsage = clientAuth
Thx, JD
On Thu, 5 Nov 2009, John Doe wrote:
Also, there's an Apache bug that fouls things up if the "CA" and "CA SSL" root certificates both have the same CN: https://issues.apache.org/bugzilla/show_bug.cgi?id=45708
Hum.. that might be the case... They must all use 'myhost.mydomain' as CN... Do you know how to specify different CNs in a common openssl.conf file?
I use a Makefile wrapper around the openssl calls. Here's a condensed version:
----- %< ----- # # usage: # # make my.hostname.com.csr -- generate a CSR for host # make my.hostname.com.crt -- build a CA-signed certificate #
CONF = openssl.cnf OPENSSL = openssl SUBJECT = /C=US/ST=OR/L=Portland/O=Our Organization CSRARGS = req -new -config $(CONF) CRTARGS = ca -config $(CONF)
.PRECIOUS: %.key
%.key: $(OPENSSL) genrsa -out $@ 2048
%.csr: %.key $(OPENSSL) $(CSRARGS) -key $^ -out $@ -subj "$(SUBJECT)/CN=$*"
%.crt: %.csr $(ENV) CN=$* $(OPENSSL) $(CRTARGS) -in $^ -out $@
----- %< -----
From: Paul Heinlein heinlein@madboa.com
On Thu, 5 Nov 2009, John Doe wrote:
Also, there's an Apache bug that fouls things up if the "CA" and "CA SSL" root certificates both have the same CN: https://issues.apache.org/bugzilla/show_bug.cgi?id=45708
Hum.. that might be the case... They must all use 'myhost.mydomain' as CN... Do you know how to specify different CNs in a common openssl.conf file?
I use a Makefile wrapper around the openssl calls.
I used the -subj to overide the CN from the conf file and now I have different CNs for the ca and cassl, but it did not solve the problem... It still works fine without CRL. But with it: [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 2, subject: /C=AA/ST=BB/L=CC/O=DD/CN=my.ca, issuer: /C=AA/ST=BB/L=CC/O=DD/CN=my.ca [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 1, subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer: /C=AA/ST=BB/L=CC/O=DD/CN=my.ca [debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD, CN=my.ca, lastUpdate: Nov 6 10:16:52 2009 GMT, nextUpdate: Nov 6 10:16:52 2010 GMT [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 0, subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain [debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD, CN=myhost.mydomain, lastUpdate: Nov 6 10:16:52 2009 GMT, nextUpdate: Nov 6 10:16:52 2010 GMT [warn] Invalid signature on CRL [error] Certificate Verification: Error (8): CRL signature failure [debug] ssl_engine_kernel.c(1779): OpenSSL: Write: SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [info] [client 192.168.16.23] SSL library error 1 in handshake (server myhost.mydomain:12345) [info] SSL Library Error: 67686519 error:0408D077:rsa routines:FIPS_RSA_VERIFY:wrong signature length [info] SSL Library Error: 218910726 error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [info] [client 192.168.16.23] Connection closed to child 1 with abortive shutdown (server myhost.mydomain:12345)
Not sure if the errors after the "CRL signature failure" are a side effect or the reason of the failure; especialy the "wrong signature length"...
Thx, JD
-
John Doe -
nate -
Paul Heinlein