CentOS - Nov 2009 - Certificates Revocation Lists and Apache...

Hi,

already asked in the openssl mailing list, but just in case you already went
through this...
I need a little help with Certificate Revocation Lists.
I did setup client certificates filtering with apache and it seem to work fine
so far (used a tutorial on http://www.adone.info/?p=4, down right now).
I have a "CA" that is signing a "CA SSL".
Then, the "CA SSL" is signing the clients certificates.
Now, I am testing Certificate Revocation Lists, but apache keeps saying:
"Invalid signature on CRL"
I used:
  $ openssl ca -config openssl.conf -name CA_ssl_default -revoke
cassl/$CLIENTNAME.pem
  Using configuration from openssl.conf
  Enter pass phrase for cassl/private/cassl.key:
  Revoking Certificate 02.
  Data Base Updated
  $ openssl ca -config openssl.conf -name CA_ssl_default -gencrl -out
cassl/crl.pem -crldays 365
  Using configuration from openssl.conf
  Enter pass phrase for /root/Certifs/cassl/private/cassl.key:
  $ # cat cassl/crl.pem
  -----BEGIN X509 CRL-----
  MIIB...
  ...
  ...v40  -----END X509 CRL-----

In apache logs, when the CRL file is activated in the conf:
  [debug] ssl_engine_init.c(538): Configuring client authentication
  [debug] ssl_engine_init.c(1113): CA certificate:
/C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain
  [debug] ssl_engine_init.c(601): Configuring permitted SSL ciphers
[ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW]
  [debug] ssl_engine_init.c(626): Configuring certificate revocation facility
  [debug] ssl_engine_init.c(729): Configuring RSA server certificate
  [debug] ssl_engine_init.c(768): Configuring RSA server private key

When I try to connect with a revoked (or unrevoked) certificate, I get:
  [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 2,
subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer:
/C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain
  [debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD,
CN=myhost.mydomain, lastUpdate: Nov  4 14:39:36 2009 GMT, nextUpdate: Nov  4
14:39:36 2010 GMT
  [warn] Invalid signature on CRL
  [error] Certificate Verification: Error (8): CRL signature failure
  [debug] ssl_engine_kernel.c(1779): OpenSSL: Write: SSLv3 read client
certificate B
  [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client
certificate B
  [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client
certificate B
  [info] [client 192.168.16.23] SSL library error 1 in handshake (server
myhost.mydomain:12345)
  [info] SSL Library Error: 67567722 error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not 01
  [info] SSL Library Error: 67530866 error:04067072:rsa
routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed
  [info] SSL Library Error: 218910726 error:0D0C5006:asn1 encoding
routines:ASN1_item_verify:EVP lib
  [info] SSL Library Error: 336105650 error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
  [info] [client 192.168.16.23] Connection closed to child 0 with abortive
shutdown (server myhost.mydomain:12345)

Also, at one point, I got a "data too large":
  [warn] Invalid signature on CRL
  [error] Certificate Verification: Error (8): CRL signature failure
  [debug] ssl_engine_kernel.c(1779): OpenSSL: Write: SSLv3 read client
certificate B
  [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client
certificate B
  [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client
certificate B
  [info] [client 192.168.16.23] SSL library error 1 in handshake (server
myhost.mydomain:12345)
  [info] SSL Library Error: 67530884 error:04067084:rsa
routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus
  [info] SSL Library Error: 218910726 error:0D0C5006:asn1 encoding
routines:ASN1_item_verify:EVP lib
  [info] SSL Library Error: 336105650 error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
  [info] [client 192.168.16.23] Connection closed to child 0 with abortive
shutdown (server myhost.mydomain:12345)
I reduced my CA and CASSL keys from 2048 down to 1024... not sure if it helped,
but I don't have this error anymore...

How can I check if the crl.pem file is ok?
  $ openssl crl -in cassl/crl.pem -text
  Certificate Revocation List (CRL):
          Version 1 (0x0)
          Signature Algorithm: sha1WithRSAEncryption
          Issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain
          Last Update: Nov  4 14:39:36 2009 GMT
          Next Update: Nov  4 14:39:36 2010 GMT
  Revoked Certificates:
      Serial Number: 02
          Revocation Date: Nov  4 14:37:03 2009 GMT
      Signature Algorithm: sha1WithRSAEncryption
          03:...
          ...
          ...:8d
  -----BEGIN X509 CRL-----
  MIIB...
  ...
  ...v40  -----END X509 CRL-----

I also tried all sorts of verify combos, but all fail:
  $ openssl verify -verbose -config openssl.conf -purpose crlsign -crl_check
cassl/crl.pem
  usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose]
[-crl_check] [-engine e] cert1 cert2 ...
  $ openssl verify -verbose -CApath cassl/ -purpose crlsign -crl_check
cassl/crl.pem
  unable to load certificate
  9605:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
  $ openssl verify -verbose -CAfile cassl/cassl.pem -purpose crlsign -crl_check
cassl/crl.pem
  unable to load certificate
  9606:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE

Any idea what I am doing wrong?

Thx,
JD

John Doe wrote:
>   [warn] Invalid signature on CRL
>   [error] Certificate Verification: Error (8): CRL signature failure
Any relation to this?
https://issues.apache.org/bugzilla/show_bug.cgi?id=45708

I've worked with a lot of ssl stuff in apache but have never
touched CRL before.

Interestingly enough I found last year that some of verisign's
CRLs weren't built to scale, one of our customers put some content
on their site that pointed back to us, which then triggered a call
to the CRL for those people using IE and Symantec anti virus(which
turned on the CRL option in IE), the site was a very high traffic
site and the customers routinely got errors from the CRL site
because it was overloaded with requests.

So few use CRL, I really don't see the benefit, but I suppose in
really controlled environments it could be useful(just not to me).

nate

On Wed, 4 Nov 2009, John Doe wrote:
> already asked in the openssl mailing list, but just in case you already
went through this...
> I need a little help with Certificate Revocation Lists.
> I did setup client certificates filtering with apache and it seem to work
fine so far (used a tutorial on http://www.adone.info/?p=4, down right now).
> I have a "CA" that is signing a "CA SSL".
> Then, the "CA SSL" is signing the clients certificates.
>
> Now, I am testing Certificate Revocation Lists, but apache keeps 
> saying: "Invalid signature on CRL"
>
> I used:
>  $ openssl ca -config openssl.conf -name CA_ssl_default -revoke
cassl/$CLIENTNAME.pem
>  [....]
>  $ openssl ca -config openssl.conf -name CA_ssl_default -gencrl -out
cassl/crl.pem -crldays 365
So far so good.
> When I try to connect with a revoked (or unrevoked) certificate, I get:
>  [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 2,
subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer:
/C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain
>  [debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC,
O=DD, CN=myhost.mydomain, lastUpdate: Nov  4 14:39:36 2009 GMT, nextUpdate: Nov 
4 14:39:36 2010 GMT
>  [warn] Invalid signature on CRL
>  [error] Certificate Verification: Error (8): CRL signature failure
Does your "CA SSL" certificate have its CRL signing bit set?

   openssl x509 -noout -purpose -in yourcert.pem | grep CRL

Also, there's an Apache bug that fouls things up if the "CA" and
"CA
SSL" root certificates both have the same CN:

   https://issues.apache.org/bugzilla/show_bug.cgi?id=45708
> How can I check if the crl.pem file is ok?
>  $ openssl crl -in cassl/crl.pem -text
>  [...]
This is the best way, and it looks as if things are OK.
> I also tried all sorts of verify combos, but all fail:
>  $ openssl verify -verbose -config openssl.conf -purpose crlsign -crl_check
cassl/crl.pem
The 'verify' option is only good for certifcates, not CRLs. It's
also
worth noting that the 'verify' option doesn't do any CRL checking. 
Grep for 'CRL' in the DIAGNOSTICS section of the verify(1) man page 
and you'll see a lot of 'unused' notes.

-- 
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/