Re: A problem with the use of CRLs. I'm still able to access a site although the certificate is revoked.

Sun, 04 Feb 2007 10:31:08 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

domi wrote:
> Hello all together,
Hello Domi,

> I’m not quite sure where to post my question because I wasn’t able to locate
> my fault. So I’ll post my question in the OpenSSL-user forum and in the
> Apache http server-users forum. A similar post in a German Firefox forum
> brought no solution. Please excuse if the question doesn’t fit into this
> forum.

[...]

Thanks for the detailed information you have given.
Unfortunately most of it is quite useless in this situation ;-)

What we need is:
* The CA certificate
* The server certificate
* The CRL
* The output of
  openssl verify -CAfile CAandCRLconcatenated.pem -verbose -crl_check \
          server.pem
* The output of
  openssl s_client -verify 5 -CAfile CAandCRLconcatenated.pem -showcerts
          -connect 192.168.0.2:443


> Here is my openssl.cnf:
[...]
> [ certificate_extensions ]
> basicConstraints      = CA:false
> crlDistributionPoints=URI:https://192.168.0.2/derexample.crl
Why is this https ?
The CRL is public information.
This could lead to something like:
* Browser wants to connect HTTPS on 192.168.0.2
* HTTPS on 102.168.0.2 returns cert.
* browser wants to check integrity of cert from 192.168.0.2
* browser connects HTTPS on 192.168.0.2.
* HTTPS on 192.168.0.2 returns cert.
* browser wants to check integrity of cert from 192.168.0.2
...

[...]
> Now to my Apache part:
This is useless information.
The server only supplies the CRL and uses the server cert on https
connsctions. How apache is configured to do this is not an issue here.

[...]
> step 2: start Firefox 2.0.1 and call the site https://192.168.0.2
> Of course you must trust the certificate.
But only temporarilyx for this session...

[...]
> step 7: new start of Apache und Firefox. The site can still be accessed
> although the certificate is revoked; no error message or something like that
> is shown. I also deleted the private internet files and the last visited
> pages to avoid that my site still lies somewhere in the cache.
This seems to be a browser problem.
Try to do this with a server without crlDistributionPoints extension.


Bye

Goetz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFFxiYm2iGqZUF3qPYRAiCKAJ0b8mqxTAkEPEe8ZSBfgAuhLSkbnACbBibZ
2vhm69vqndUigBcml2Qrd1Y=
=Anx5
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to