[CentOS] Certificates Revocation Lists and Apache...

Wed Nov 4 15:33:23 UTC 2009
John Doe <jdmls at yahoo.com>

Hi,

already asked in the openssl mailing list, but just in case you already went through this...
I need a little help with Certificate Revocation Lists.
I did setup client certificates filtering with apache and it seem to work fine so far (used a tutorial on http://www.adone.info/?p=4, down right now).
I have a "CA" that is signing a "CA SSL".
Then, the "CA SSL" is signing the clients certificates.
Now, I am testing Certificate Revocation Lists, but apache keeps saying: "Invalid signature on CRL"
I used:
  $ openssl ca -config openssl.conf -name CA_ssl_default -revoke cassl/$CLIENTNAME.pem
  Using configuration from openssl.conf
  Enter pass phrase for cassl/private/cassl.key:
  Revoking Certificate 02.
  Data Base Updated
  $ openssl ca -config openssl.conf -name CA_ssl_default -gencrl -out cassl/crl.pem -crldays 365
  Using configuration from openssl.conf
  Enter pass phrase for /root/Certifs/cassl/private/cassl.key:
  $ # cat cassl/crl.pem
  -----BEGIN X509 CRL-----
  MIIB...
  ...
  ...v40=
  -----END X509 CRL-----

In apache logs, when the CRL file is activated in the conf:
  [debug] ssl_engine_init.c(538): Configuring client authentication
  [debug] ssl_engine_init.c(1113): CA certificate: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain
  [debug] ssl_engine_init.c(601): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW]
  [debug] ssl_engine_init.c(626): Configuring certificate revocation facility
  [debug] ssl_engine_init.c(729): Configuring RSA server certificate
  [debug] ssl_engine_init.c(768): Configuring RSA server private key

When I try to connect with a revoked (or unrevoked) certificate, I get:
  [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 2, subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain
  [debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD, CN=myhost.mydomain, lastUpdate: Nov  4 14:39:36 2009 GMT, nextUpdate: Nov  4 14:39:36 2010 GMT
  [warn] Invalid signature on CRL
  [error] Certificate Verification: Error (8): CRL signature failure
  [debug] ssl_engine_kernel.c(1779): OpenSSL: Write: SSLv3 read client certificate B
  [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B
  [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B
  [info] [client 192.168.16.23] SSL library error 1 in handshake (server myhost.mydomain:12345)
  [info] SSL Library Error: 67567722 error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
  [info] SSL Library Error: 67530866 error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed
  [info] SSL Library Error: 218910726 error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib
  [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
  [info] [client 192.168.16.23] Connection closed to child 0 with abortive shutdown (server myhost.mydomain:12345)

Also, at one point, I got a "data too large":
  [warn] Invalid signature on CRL
  [error] Certificate Verification: Error (8): CRL signature failure
  [debug] ssl_engine_kernel.c(1779): OpenSSL: Write: SSLv3 read client certificate B
  [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B
  [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B
  [info] [client 192.168.16.23] SSL library error 1 in handshake (server myhost.mydomain:12345)
  [info] SSL Library Error: 67530884 error:04067084:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus
  [info] SSL Library Error: 218910726 error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib
  [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
  [info] [client 192.168.16.23] Connection closed to child 0 with abortive shutdown (server myhost.mydomain:12345)
I reduced my CA and CASSL keys from 2048 down to 1024... not sure if it helped, but I don't have this error anymore...

How can I check if the crl.pem file is ok?
  $ openssl crl -in cassl/crl.pem -text
  Certificate Revocation List (CRL):
          Version 1 (0x0)
          Signature Algorithm: sha1WithRSAEncryption
          Issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain
          Last Update: Nov  4 14:39:36 2009 GMT
          Next Update: Nov  4 14:39:36 2010 GMT
  Revoked Certificates:
      Serial Number: 02
          Revocation Date: Nov  4 14:37:03 2009 GMT
      Signature Algorithm: sha1WithRSAEncryption
          03:...
          ...
          ...:8d
  -----BEGIN X509 CRL-----
  MIIB...
  ...
  ...v40=
  -----END X509 CRL-----

I also tried all sorts of verify combos, but all fail:
  $ openssl verify -verbose -config openssl.conf -purpose crlsign -crl_check cassl/crl.pem
  usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ...
  $ openssl verify -verbose -CApath cassl/ -purpose crlsign -crl_check cassl/crl.pem
  unable to load certificate
  9605:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
  $ openssl verify -verbose -CAfile cassl/cassl.pem -purpose crlsign -crl_check cassl/crl.pem
  unable to load certificate
  9606:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE

Any idea what I am doing wrong?

Thx,
JD