Hello all together, I’m not quite sure where to post my question because I wasn’t able to locate my fault. So I’ll post my question in the OpenSSL-user forum and in the Apache http server-users forum. A similar post in a German Firefox forum brought no solution. Please excuse if the question doesn’t fit into this forum.
To my situation: I’m using Linux/ Suse 10.0 with an Apache 2.0.54, OpenSSL 0.9.7g. and Firefox 2.0.1. I’m the webserver and client in one person. I’ve given my computer a static IP-adress: 192.168.0.2 I’ve built a simple Website to which I’ve got access with https://192.168.0.2 I want to include the use of CRLs. Client certificates are no subject to me. The Apache and OpenSSL work very fine and I’m able to create CRLs and import them into my Firefox. To my problem: When my webserver uses certificates which are revoked (I revoked them) I’m still able to access the site although the browser has got the newest CRL. I’ve read a lot of configs and howtos but I still don’t know the reason for this fault. If anyone knows a good howto for my scenario or (and better) the solution for my problem please let me know. Subsequent I post some excerpt of what I’ve done so far. Here is the OpenSSL part starting with the creation of my CA. At first the basics: # mkdir /opt/exampleca # cd /opt/example ca # mkdir certs private # chmod g-rwx,o-rwx private # echo ‘01’ > serial touch index.txt Here is my openssl.cnf: [ ca ] default_ca = exampleca [ exampleca ] dir = /opt/exampleca certificate = $dir/cacert.pem database = $dir/index.txt new_certs_dir = $dir/certs private_key = $dir/private/cakey.pem serial = $dir/serial default_crl_days = 7 default_days = 365 default_md = md5 policy = exampleca_policy x509_extensions = certificate_extensions [ exampleca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = supplied emailAddress = supplied organizationName = supplied organizationalUnitName = optional [ certificate_extensions ] basicConstraints = CA:false crlDistributionPoints=URI:https://192.168.0.2/derexample.crl [ req ] default_bits = 2048 default_keyfile = /opt/exampleca/private/cakey.pem default_md = md5 prompt = no distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions [ root_ca_distinguished_name ] commonName = Example CA stateOrProvinceName = Virginia countryName = US emailAddress = [EMAIL PROTECTED] organizationName = Root Certification Authority [ root_ca_extensions ] basicConstraints = CA:true With this code I’m telling OpenSSL where to find my config file # OPENSSL_CONF=/opt/exampleca/openssl.cnf # OPENSSL_CONF Generating a self-signed root certificate # openssl req –x509 –newkey rsa –out cacert.pem –outform PEM A look at the output of the self-signed root certificate # openssl x509 –in cacert.pem –text –noout Generating a certificate request # openssl req –newkey rsa:1024 –keyout testkey.pem –keyform PEM –out testreq.pem –outform PEM A look at the output of the certificate request # openssl req –in testreq.pem –text –noout Issue a certificate from a certificate request # openssl ca –in testreq.pem Revoke a certificate # cp certs/01.pem testcert.pem # openssl ca –revoke testcert.pem Generating a CRL # openssl ca –gencrl –out example.crl A look at the output of the CRL # openssl crl –in exampleca.crl –text –noout verify the signatur of the CRL # openssl crl –in exampleca.crl –noout –CAfile cacert.pem transform the CRL from PEM to DER because Firefox needs DER-format openssl crl -in example.crl –outform DER –out derexample.crl A look at the output of the DER-CRL openssl crl -text -noout -in derexample.crl -inform der Now to my Apache part: I copy the derexample.crl into the DocumentRoot of the Apache so that I can access it with https://192.168.0.2/derexample.crl That’s probably not 100% secure but it works for now and it will be changed in the near future. Now to the Apache configs: - LoadModule ssl_module is included in my loadmodule.conf - an excerpt of my default-server.conf: <Directory „/srv/www/htdocs“> SSLRequireSSL Options None AllowOverride None Oder allow, deny Allow from all </Directory> - Here is my complete ssl-global.conf: ##SSL Global Context <IfDefine SSL> <IfDefine !NOSSL> <IfModule mod_ssl.c> AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/lib/apache2/ssl_scache(512000) SSLSessionCacheTimeout 600 SSLMutex default SSLRandomSeed startup builtin SSLRandomSeed connect builtin <VirtualHost _default_:443> ServerName 192.168.0.2:443 Errorlog /opt/exampleca/ssl_error_log Transferlog /opt/exampleca/ssl_access_log SSLEngine on SSLCipherSuite HIGH:MEDIUM SSLProtocol all SSLCertificateFile /some/path/01.pem SSLCertificateKeyFile /some/path/testkey.pem SSLCertificateChainFile /some/path/cacert.pem </VirtualHost> </IfModule> </IfDefine> </IfDefine> All the steps in OpenSSL and Apache work as far as I can say. Now follow some steps to access my site. step 1: start the Apache with /etc/init.d/apache2 startssl The certificate in the Apache ssl-global.conf is NOT revoked. step 2: start Firefox 2.0.1 and call the site https://192.168.0.2 Of course you must trust the certificate. step 3: import the CRL in the Firefox under settings-advanced-encryption. Here you can enter the URL https://192.168.0.2/derexample.crl and import the CRL step 4: The certificate of the CA has to be imported and trusted as well. step 5: Close Firefox and stop Apache with /etc/init.d/apache2 stop step 6: Now I change the ssl-global.conf and enter a certificate which was revoked from me in the forefront. Of course the CRL is up to date. step 7: new start of Apache und Firefox. The site can still be accessed although the certificate is revoked; no error message or something like that is shown. I also deleted the private internet files and the last visited pages to avoid that my site still lies somewhere in the cache. Does anyone know why I’m still able to access this site? I’m very thankful for all comments, hints and solutions. If you need my complete configs or something else feel free to ask. best regards domi -- View this message in context: http://www.nabble.com/A-problem-with-the-use-of-CRLs.-I%27m-still-able-to-access-a-site-although-the-certificate-is-revoked.-tf3169634.html#a8792524 Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
