Hi A cautious handling of heatbleed included renewing private keys and certificates. But that is of no interest if the possibly compromised certificate is not revoked, or if revokation is not enforced.
I therefore tried CRL in OpenLDAP (linked with OpenSSL). I first started with client settings, in ~/.ldaprc: BASE dc=example,dc=net URI ldaps://ldap.example.net TLS_CACERT /etc/openssl/certs/ca.crt TLS_REQCERT demand TLS_CACERTDIR /home/manu/openssl/ca TLS_CRLCHECK all As suggested in the man page, I added a copy of /etc/openssl/certs/ca.crt in /home/manu/openssl/ca and tried a ldapsearch on the server. It fails, and with debug output I have: TLS certificate verification: Error, unable to get certificate CRL TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get certificate CRL). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) kernel trace show that before the error message, it attemps to open /home/manu/openssl/ca/0726b466.r0 If I rename the CA to that name, it will read it, then fail on: TLS certificate verification: Error, unable to get certificate CRL TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:0906D06C:PEM routines:PEM_read_bio:no start line. That suggests the man page is wrong and it is not expecting a CA there. If I remove the CA from /home/manu/openssl/ca/ and copy the CRL in /home/manu/openssl/ca/0726b466.r0, it reads it without a complain, then tries to read /home/manu/openssl/ca/0726b466.r1 and fail there. If I copy /home/manu/openssl/ca/0726b466.r0 to /home/manu/openssl/ca/0726b466.r1, the message suggests that it is indeed trying to load the CRL from that file: TLS: can't connect: error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert already in hash table. I have a few questions before I start to read the code, just in case it is a known issue: Why the cryptic file names? And why do I need a second 0726b466.r1 file? Using TLS_CRLCHECK peer instead of TLS_CRLCHECK all does not change the behavior. And is OpenSSL CRL supposed to work? This is OpenLDAP 2.4.33 -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz [email protected]
