OK better but not perfect:

1)  missing CA in trusted roots:  fails to verify; good
2)  missing CRL:  FAILS TO VERIFY; BAD
3)  CRL with revoked cert:  fails to verify, good
3.bis)  CRL _without_ revoked cert:  verifies, good

so it seems the coup-de-grace would be to make the absence of the CRL act
like nothing is revoked, or add some options/parameters, maybe like:

    cryptoapi-chain-validation require-crl-present

I'd still like to see an example of a well-formed value for CDP, and
Authority Info Access extension so I can re-issue my CA cert and test the
hypothetical CAPI built-in OCSP/CRL checking....

-Dave

> -----Original Message-----
> From: Alon Bar-Lev [mailto:alon.bar...@gmail.com] 
> Sent: Saturday, October 18, 2008 3:29 PM
> To: Dave
> Cc: openvpn devel
> Subject: Re: [Openvpn-devel] [MSCAPI] Need testers
> 
> 
> Oh!
> Thanks!!!!
> I feared I had to install Windows again :)
> 
> So now everything should be fine... you should be able to 
> check the chain validation... 1. Without trusted CA in store. 
> 2. Without CRL in store. 3. With CRL but with certificate revoked.
> 
> Alon.
> 
> On 10/18/08, Dave <d...@ziggurat29.com> wrote:
> > Sorry, I lied.  Success!  I somehow failed to copy the openvpn.exe 
> > over.  Attached herewith is the log.
> >
> >
> >
> >  > -----Original Message-----
> >  > From: Dave [mailto:d...@ziggurat29.com]
> >  > Sent: Saturday, October 18, 2008 3:19 PM
> >  > To: 'Alon Bar-Lev'
> >  > Cc: 'openvpn devel'
> >  > Subject: RE: [Openvpn-devel] [MSCAPI] Need testers
> >  >
> >  >
> >  > Alas, the same.
> >  >
> >  > > -----Original Message-----
> >  > > From: Alon Bar-Lev [mailto:alon.bar...@gmail.com]
> >  > > Sent: Saturday, October 18, 2008 2:31 PM
> >  > > To: Dave
> >  > > Cc: openvpn devel
> >  > > Subject: Re: [Openvpn-devel] [MSCAPI] Need testers
> >  > >
> >  > >
> >  > > Thank you for your time!
> >  > > Last time... If we don't make any progress I will install  > > 
> > Windows setup when I have some free time. The problem is 
> may  > > be 
> > due to RSA_FLAG_SIGN_VER flag that should be set on the  > 
> > RSA and 
> > not the method. Can you please test [1]?  > >
> >  > > Alon.
> >  > >
> >  > > [1] 
> http://alon.barlev.googlepages.com/openvpn-mscapi-test-7.tar.bz2
> >  > >
> >  > > On 10/18/08, Dave <d...@ziggurat29.com> wrote:
> >  > > > Nope, still crashes.
> >  > > >
> >  > > >  Application Event Log reveals:
> >  > > >
> >  > > >   Faulting application openvpn.exe, version 0.0.0.0,
> >  > > faulting module
> >  > > > libeay32.dll, version 0.9.9.0, fault address 0x0005c4c5.
> >  > > >
> >  > > >  I suppose there's no debug info in the MinGW build -- I
> >  > > can attach a
> >  > > > debugger when it crashes and could see the source if there
> >  > > was debug
> >  > > > info.  Invariably something about my config triggers 
> some boundary
> >  > > > case.
> >  > > >
> >  > > >  When testing only with cryptoapicert, the failure occurs
> >  > > also, and is
> >  > > > logged  as having had happened at the same location.
> >  > > >
> >  > > >
> >  > > >  -Dave
> >  > > >
> >  > > >  > -----Original Message-----
> >  > > >  > From: Alon Bar-Lev [mailto:alon.bar...@gmail.com]
> >  > > >
> >  > > > > Sent: Saturday, October 18, 2008 1:51 PM
> >  > > >  > To: Dave
> >  > > >  > Cc: openvpn devel
> >  > > >  > Subject: Re: [Openvpn-devel] [MSCAPI] Need testers
> >  > > >  >
> >  > > >  >
> >  > > >  > I cannot see what is wrong, what exactly crashes? Do you
> >  > > have  > an
> >  > > > entry in event log?, I recompiled everything at [1], I
> >  > may  > had a
> >  > > > problem with the libraries. Can you please test only  > with
> >  > > > cryptoapicert and see if it changes something?  >
> >  > > >  > Thanks!
> >  > > >  >
> >  > > >  > [1]
> >  > > 
> http://alon.barlev.googlepages.com/openvpn-mscapi-test-6.tar.bz2
> >  > > >  >
> >  > > >  > On 10/18/08, Dave <d...@ziggurat29.com> wrote:
> >  > > >  > > A little bit further, though now it crashes for me
> >  > > using all the
> >  > > >  > > binaries  you included in your bz file.  Log attached  >
> >  > > > herewith in case  > > that helps  locate the area affected.
> >  > > >  > >
> >  > > >  > >
> >  > > >  > >  -Dave
> >  > > >  > >
> >  > > >  > >  > -----Original Message-----
> >  > > >  > >  > From: Alon Bar-Lev [mailto:alon.bar...@gmail.com]
> >  > > >  > >
> >  > > >  > > > Sent: Saturday, October 18, 2008 1:01 PM
> >  > > >  > >  > To: Dave
> >  > > >  > >  > Cc: openvpn devel
> >  > > >  > >
> >  > > >  > > > Subject: Re: [Openvpn-devel] [MSCAPI] Need testers
> >  > > >  > >  >
> >  > > >  > >  >
> >  > > >  > >
> >  > > >  > > > Thank you for testing!
> >  > > >  > >  >
> >  > > >  > >  > Found the problem... CryptoAPI cannot validate root
> >  > > >  > >  > certificate... OK, can you please test [1]?
> >  > > >  > >  >
> >  > > >  > >  > I also renamed the option from cryptoapica to
> >  > > >  > >  > cryptoapi-chain-validation, I think it is clearer.
> >  > > >  > >  >
> >  > > >  > >  > Thanks!
> >  > > >  > >  > Alon.
> >  > > >  > >  >
> >  > > >  > >  > [1]
> >  > > >  > >
> >  > > 
> http://alon.barlev.googlepages.com/openvpn-mscapi-test-5.tar.bz2
> >  > > >  > >  >
> >  > > >  > >  > On 10/18/08, Dave <d...@ziggurat29.com> wrote:
> >  > > >  > >  > > attached herewith is the log of the (failed)
> >  > > >  > attempt(s) to connect.
> >  > > >  > >  > >
> >  > > >  > >  > >  Certs are all OK as far as I can tell (no red X
> >  > > overlaid).
> >  > > >  > >  > >
> >  > > >  > >  > >  This CA cert I created some years back with
> >  > easy-RSA.  >
> >  > > > >  > These days I  > >  > > now  manage my CA with 
> XCA off a USB
> >  > > > key, but I imported  > >  > that CA cert
> >  > > >  > >  > > rather than  rebuilding the PKI.
> >  > > >  > >  > >
> >  > > >  > >  > >  Your CRL/OCSP suggestion is interesting, though of
> >  > > >  > course that's
> >  > > >  > >  > > Windows  only (my servers are all Linux).
> >  > Actually I was
> >  > > >  > >  > hoping for
> >  > > >  > >  > > an extension of  the OCSP patch that was
> >  > submitted about a
> >  > > >  > >  > year ago,
> >  > > >  > >  > > but maybe that is a task  for me to do!  
> Then it would
> >  > > >  > be general
> >  > > >  > >  > > across Windows/Linux.  I have not  used 
> the extensions
> >  > > >  > >  > before, and I
> >  > > >  > >  > > would love it if you had an example cert  with
> >  > > the CDP or OCSP
> >  > > >  > >  > > extensions filled out so I can use that as a
> >  > reference  >
> >  > > > to proper  > >  > > form.  My OCSP responder also 
> runs on Linux,
> >  > > > rather  > than Windows.
> >  > > >  > >  > >
> >  > > >  > >  > >
> >  > > >  > >  > >  -Dave
> >  > > >  > >  > >
> >  > > >  > >  > >  ...
> >  > > >  > >  > >
> >  > > >  > >  > > > Thank you for your tests!
> >  > > >  > >  > >  >
> >  > > >  > >  > >  > Your configuration is correct.
> >  > > >  > >  > >  >
> >  > > >  > >  > >  > Can you please double click the certificate
> >  > at the MMC,
> >  > > >  > >  > and  > see
> >  > > >  > >  > > if it marked "OK"? If there is an error 
> then there is
> >  > > >  > > probably
> >  > > >  > >  > > something wrong with CA location or CRL fetch.  >
> >  > > >  > >  > >  > How did you enroll your certificate? If you
> >  > > did this via
> >  > > >  > >  > >  > microsoft CA, you have CDP (CRL distribution
> >  > > point) X.509
> >  > > >  > >  > >  > extension that is used by Windows to
> >  > automatically  >
> >  > > > fetch your  > >  > >  > CRL. If you got OCSP 
> responder which is
> >  > > integrated with CAPI
> >  > > >  > >  > >  > on your machine it will also work in this
> >  > > configuration.
> >  > > >  > >  > >  >
> >  > > >  > >  > >  > I added some more debugging information.
> >  > > >  > >  > >  > Please run the new version [1] with verb
> >  > 255.  > >  > >
> >  > > > > Thanks!  > >  > >
> >  > > >  > >  > > ...
> >  > > >  > >  > >
> >  > > >  > >  > >
> >  > > >  > >  >
> >  > > >  > >
> >  > > >  > > >
> >  > > --------------------------------------------------------------
> >  > > >  > >  > -----------
> >  > > >  > >  > This SF.Net email is sponsored by the Moblin Your
> >  > Move  > >
> >  > > > > Developer's challenge Build the coolest Linux based  > >  >
> >  > > > applications with Moblin SDK & win great prizes Grand  >
> >  > prize  > is
> >  > > > a  > > trip for two to an Open Source event anywhere in
> >  > the  > world
> >  > > >  > > 
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> >  > > >  > >  > _______________________________________________
> >  > > >  > >  > Openvpn-devel mailing list
> >  > > >  > >  > Openvpn-devel@lists.sourceforge.net
> >  > > >  > >  > 
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
> >  > > >  > >  >
> >  > > >  > >
> >  > > >  > >
> >  > > >  >
> >  > > >  > 
> --------------------------------------------------------------
> >  > > >  > -----------
> >  > > >  > This SF.Net email is sponsored by the Moblin Your Move
> >  > > >  > Developer's challenge Build the coolest Linux based
> >  > > >  > applications with Moblin SDK & win great prizes 
> Grand prize
> >  > > >  > is a trip for two to an Open Source event anywhere in the
> >  > > >  > world
> >  > http://moblin-contest.org/redirect.php?banner_id=100&url=/
> >  > > >  > _______________________________________________
> >  > > >  > Openvpn-devel mailing list
> >  > > >  > Openvpn-devel@lists.sourceforge.net
> >  > > >  > https://lists.sourceforge.net/lists/listinfo/openvpn-devel
> >  > > >  >
> >  > > >
> >  > > >
> >  > >
> >  > > --------------------------------------------------------------
> >  > > -----------
> >  > > This SF.Net email is sponsored by the Moblin Your Move
> >  > > Developer's challenge Build the coolest Linux based
> >  > > applications with Moblin SDK & win great prizes Grand prize
> >  > > is a trip for two to an Open Source event anywhere in the
> >  > > world 
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> >  > > _______________________________________________
> >  > > Openvpn-devel mailing list
> >  > > Openvpn-devel@lists.sourceforge.net
> >  > > https://lists.sourceforge.net/lists/listinfo/openvpn-devel
> >  > >
> >  >
> >
> >
> 


Reply via email to