We were getting the no certificate returned error when signing the cert with the notAfter field (this was in a PostgreSQL context, if it matters).
The -verify command reported: error 14 at 0 depth lookup:format error in certificate's notAfter field re-signing the cert with the -days x option instead of notAfter solved that one... Also - and you may not believe this response - have you re-started Apache? There's been quite a lot of chatter on various lists about the need to restart - refresh won't do, apparently. We had been assuming that mod_ssl would (should?) re-read the CRL once a handshake begins, but apparently it doesn't! (Bigger brains: please correct if I'm wrong about this). There are good arguments on both sides of that conversation but, nonetheless, it creates a housekeeping issue. Let us know how you get on... Lou ----- Original Message ----- From: "John Doe" <jd...@yahoo.com> To: openssl-users@openssl.org Sent: Wednesday, November 4, 2009 10:27:32 AM GMT -05:00 US/Canada Eastern Subject: Certificate Revocation Lists and Apache... Hi, I need a little help with Certificate Revocation Lists. I did setup client certificates filtering with apache and it seem to work fine so far (used a tutorial on http://www.adone.info/?p=4, down right now). I have a "CA" that is signing a "CA SSL". Then, the "CA SSL" is signing the clients certificates. Now, I am testing Certificate Revocation Lists, but apache keeps saying: "Invalid signature on CRL" I used: $ openssl ca -config openssl.conf -name CA_ssl_default -revoke cassl/$CLIENTNAME.pem Using configuration from openssl.conf Enter pass phrase for cassl/private/cassl.key: Revoking Certificate 02. Data Base Updated $ openssl ca -config openssl.conf -name CA_ssl_default -gencrl -out cassl/crl.pem -crldays 365 Using configuration from openssl.conf Enter pass phrase for /root/Certifs/cassl/private/cassl.key: $ # cat cassl/crl.pem -----BEGIN X509 CRL----- MIIB... ... ...v40= -----END X509 CRL----- In apache logs, when the CRL file is activated in the conf: [debug] ssl_engine_init.c(538): Configuring client authentication [debug] ssl_engine_init.c(1113): CA certificate: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain [debug] ssl_engine_init.c(601): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW] [debug] ssl_engine_init.c(626): Configuring certificate revocation facility [debug] ssl_engine_init.c(729): Configuring RSA server certificate [debug] ssl_engine_init.c(768): Configuring RSA server private key When I try to connect with a revoked (or unrevoked) certificate, I get: [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 2, subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain [debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD, CN=myhost.mydomain, lastUpdate: Nov 4 14:39:36 2009 GMT, nextUpdate: Nov 4 14:39:36 2010 GMT [warn] Invalid signature on CRL [error] Certificate Verification: Error (8): CRL signature failure [debug] ssl_engine_kernel.c(1779): OpenSSL: Write: SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [info] [client 192.168.16.23] SSL library error 1 in handshake (server myhost.mydomain:12345) [info] SSL Library Error: 67567722 error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 [info] SSL Library Error: 67530866 error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed [info] SSL Library Error: 218910726 error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [info] [client 192.168.16.23] Connection closed to child 0 with abortive shutdown (server myhost.mydomain:12345) Also, at one point, I got a "data too large": [warn] Invalid signature on CRL [error] Certificate Verification: Error (8): CRL signature failure [debug] ssl_engine_kernel.c(1779): OpenSSL: Write: SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [info] [client 192.168.16.23] SSL library error 1 in handshake (server myhost.mydomain:12345) [info] SSL Library Error: 67530884 error:04067084:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus [info] SSL Library Error: 218910726 error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [info] [client 192.168.16.23] Connection closed to child 0 with abortive shutdown (server myhost.mydomain:12345) I reduced my CA and CASSL keys from 2048 down to 1024... not sure if it helped, but I don't have this error anymore... How can I check if the crl.pem file is ok? $ openssl crl -in cassl/crl.pem -text Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain Last Update: Nov 4 14:39:36 2009 GMT Next Update: Nov 4 14:39:36 2010 GMT Revoked Certificates: Serial Number: 02 Revocation Date: Nov 4 14:37:03 2009 GMT Signature Algorithm: sha1WithRSAEncryption 03:... ... ...:8d -----BEGIN X509 CRL----- MIIB... ... ...v40= -----END X509 CRL----- I also tried all sorts of verify combos, but all fail: $ openssl verify -verbose -config openssl.conf -purpose crlsign -crl_check cassl/crl.pem usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ... $ openssl verify -verbose -CApath cassl/ -purpose crlsign -crl_check cassl/crl.pem unable to load certificate 9605:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE $ openssl verify -verbose -CAfile cassl/cassl.pem -purpose crlsign -crl_check cassl/crl.pem unable to load certificate 9606:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE Any idea what I am doing wrong? Thx, JD ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
