httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Erwann ABALEA" <eaba...@gmail.com>
Subject Re: CRL verification in mod_ssl
Date Wed, 15 Oct 2008 16:08:53 GMT
Hello Mr Henson,

2008/10/15 Dr Stephen Henson <steve@openssl.org>:
> Dirk-Willem van Gulik wrote:
>> On Aug 28, 2008, at 9:41 PM, Nicob wrote:
[...]
> While I haven't reviewed this specific patch I have a general comment.
>
> There is currently some questionable behaviour in mod_ssl CRL handling.
> For example it ignores critical CRL extensions, whereas OpenSSL either
> processes them (if they are recognised) or rejects the CRL (if they are
> not). This is required by RFC3280 and not doing so raises some security
> issues.

You're right. The original mod_ssl code doesn't check this, neither
for the CRL extensions, nor for the CRLentries extensions.
It can be added after the signature verification.

> IMHO it would be best if mod_ssl delegated CRL handling to OpenSSL by
> setting the necessary verification flags instead of duplicating
> functionality. In the past mod_ssl didn't have much choice but to do
> it's own thing because then OpenSSL CRL handling was either absent or
> broken.

That was a proposed solution, some months ago, IIRC. Unfortunately,
OpenSSL has the same behaviour as mod_ssl regarding the problem solved
by this patch; it considers that the key used to sign the user
certificate is the same key used to sign the CRL. That assumption is
false in 2 cases (at least):
 - a CA using keys+certificates for different usages (certificate
signing and CRL signing)
 - a CA renewal (with rekeying)

I proposed the same kind of patch on the OpenSSL mailing lists some
months ago, and only debated with Mr Patterson about the merits of a
CA renewal with/without rekeying. If you want to contact me privately
to talk about this, feel free to do so.

I'm also in favor of letting OpenSSL perform the validation path and
CRL checking, if we can also handle the existing configurations (for
example, a typical Apache configuration has different
SSLCACertificatePath and SSLCARevocationPath directives, and OpenSSL
uses a unified path for both certificates and CRLs). Problems about
CRL refreshing should also be taken into account; killing and
restarting a webserver every hour or every day because we downloaded a
new CRL is not a viable solution in a production environment, and OCSP
is not always a good answer (we're not talking about a sub-minute
revocation status).
On the other way, letting Apache perform the certificate validation
permits the use of OCSP, transparently, if the CA is configured to do
so.

> Things are rather better now. The 0.9.9-dev version of OpenSSL is
> compliant with all the RFC3280 PKITS tests for example. The 0.9.8
> handling isn't quite so complete though.

OpenSSL 0.9.9-dev is mostly compliant to PKITS, yes, but not fully.
I'm reading my CVS copy, and based on this reading, Test19 of PKITS
test isn't OK (this is the case with separate certificate and CRL
keys). I'm now reading the check_crl() function, in x509_vfy.c file.
This is also solved by this patch.

> If the OpenSSL CRL handling needs to be made more mod_ssl friendly I'd
> be happy to coordinate changes to OpenSSL.

So do I, in my spare time. We use OpenSSL and other PKI toolkits in a
business environment, so their evolution is also our concern.

-- 
Erwann.

Mime
View raw message