Re: [openssl-users] Re: Generate a CRL from an OCSP request
Hodie post. Kal. Iun. MMV est, Julien VEHENT scripsit: Dr. Stephen Henson [EMAIL PROTECTED] a écrit : On Wed, Jun 01, 2005, Julien VEHENT wrote: I'm having an OCSP Responder on my CA and i want to use it in order to generate CRL's on others servers. Usually, it's the other way around: provide an OCSP service based on a CRL. In fact, what you're trying to do is impossible to do. An OCSP response can't be transformed into a valid CRL. I don't want to use HTTP just because web server are to much attacked. Then use a small web server, and apply the necessary security patches. Isn't your OCSP responder attacked? -- Erwann ABALEA [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Generate a CRL from an OCSP request
Jason Haar [EMAIL PROTECTED] a écrit : Julien VEHENT wrote: I don't want to use HTTP just because web server are to much attacked. Moreover, OCSP is very interesting for the student that i am :) OK so if i use a boring script which request 100 serial in one line, what is the correct syntax to generate a CRL using the OpenSSL OCSP request ? I don't think you can do what you want anyway - you have a chicken-n-egg problem. As far as I'm aware, an OCSP environment implies the following. You (e.g. the HTTPS server) are asked to interact with a remote cert, you can tell it was signed by a CA you trust - but you don't know if it hasn't been revoked. So you call OCSP and say is serial 7423342 still valid and it answers yes or no. So for you to dump all the revoked certs contained within a OCSP db, you'd need to know all of the serial numbers in advance. And the only thing that know all the assigned serial numbers - is the CA itself. So now what do you do? Log into the CA and dump the serial numbers, copy them over to the box and then use OCSP to recursively do the lookups?!?! A waste of time - you could have just grabbed the CRL file in the first place. What we do is have a distribution of CRL Servers. Simply Apache server with a copy of our CRL (rsync'ed onto the Apache servers from the CA on an hourly basis). As Stephen said, all CRLs are digitally signed by the CA - so THEY CANNOT BE ALTERED. Worst case scenario is that the Web server is compromised and...? The CRL is deleted...? Corrupted? It can't be altered. I mean if you're Web server is compromised, the integrity of your CRL file is irrelevant Thanks for your very interesting answer... Now I understand that the use of OCSP request with openvpn is not the better way for me... Perhaps, in a next release, openvpn dev will include the ocsp support ;) -- J. VEHENT [EMAIL PROTECTED] -- Microgate | 02.47.66.95.01| www.microgate.fr binKPUps22wQV.bin Description: Clef publique PGP
Re: Generate a CRL from an OCSP request
Dr. Stephen Henson [EMAIL PROTECTED] a écrit : On Wed, Jun 01, 2005, Julien VEHENT wrote: Hi all, I'm having an OCSP Responder on my CA and i want to use it in order to generate CRL's on others servers. So the idea is: +-+ | CA |ocsp request(1)===+---+(3) |ocsp |...|openvpn srv|..(CRL GENERATION) +-+=ocsp response===(2)==+---+(4)/ and with the ocsp response i want to generate a CRL. For the ocsp resquest, i'm using the openssl toolkit with a cron. But i have several problems: _How can i request all certificates managed by my CA in one ocsp request ? (i don't want to copy all of these signed certificates on all of my openvpn servers) _How can i encode the response in PEM format in order to use it with OpenVPN ? I really want to use the OCSP protocol for several reason (including security consideration) so publication through HTTP protocol is not a good solution for me. Could you help me ?... :) OCSP can't really be used that way unless you include the serial numbers of *all* that CAs certificates in the request. That could result in a very large request and responder overhead. What is your problem with HTTP? A CRL is digitally signed so it can't be tampered with. I don't want to use HTTP just because web server are to much attacked. Moreover, OCSP is very interesting for the student that i am :) OK so if i use a boring script which request 100 serial in one line, what is the correct syntax to generate a CRL using the OpenSSL OCSP request ? I've tried to use the -respout argument and a crl conversion (with openssl crl -inform DER [...] -outform PEM [...] ) but it doesn't work... the error message is : unable to load CRL And the openssl ocsp --help doesn't speak about CRL generation.. Thank you very much for your answers :) -- J. VEHENT Student in Computer Security [EMAIL PROTECTED] -- Microgate | 02.47.66.95.01| www.microgate.fr pgpgNqAsVH9QJ.pgp Description: Signature =?iso-8859-1?b?bnVt6XJpcXVl?= PGP bin1fMKTnvwJz.bin Description: Clef publique PGP
Re: Generate a CRL from an OCSP request
Julien VEHENT wrote: I don't want to use HTTP just because web server are to much attacked. Moreover, OCSP is very interesting for the student that i am :) OK so if i use a boring script which request 100 serial in one line, what is the correct syntax to generate a CRL using the OpenSSL OCSP request ? I don't think you can do what you want anyway - you have a chicken-n-egg problem. As far as I'm aware, an OCSP environment implies the following. You (e.g. the HTTPS server) are asked to interact with a remote cert, you can tell it was signed by a CA you trust - but you don't know if it hasn't been revoked. So you call OCSP and say is serial 7423342 still valid and it answers yes or no. So for you to dump all the revoked certs contained within a OCSP db, you'd need to know all of the serial numbers in advance. And the only thing that know all the assigned serial numbers - is the CA itself. So now what do you do? Log into the CA and dump the serial numbers, copy them over to the box and then use OCSP to recursively do the lookups?!?! A waste of time - you could have just grabbed the CRL file in the first place. What we do is have a distribution of CRL Servers. Simply Apache server with a copy of our CRL (rsync'ed onto the Apache servers from the CA on an hourly basis). As Stephen said, all CRLs are digitally signed by the CA - so THEY CANNOT BE ALTERED. Worst case scenario is that the Web server is compromised and...? The CRL is deleted...? Corrupted? It can't be altered. I mean if you're Web server is compromised, the integrity of your CRL file is irrelevant -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Generate a CRL from an OCSP request
On Wed, Jun 01, 2005, Julien VEHENT wrote: Hi all, I'm having an OCSP Responder on my CA and i want to use it in order to generate CRL's on others servers. So the idea is: +-+ | CA |ocsp request(1)===+---+(3)\ |ocsp |...|openvpn srv|..(CRL GENERATION) +-+=ocsp response===(2)==+---+(4)/ and with the ocsp response i want to generate a CRL. For the ocsp resquest, i'm using the openssl toolkit with a cron. But i have several problems: _How can i request all certificates managed by my CA in one ocsp request ? (i don't want to copy all of these signed certificates on all of my openvpn servers) _How can i encode the response in PEM format in order to use it with OpenVPN ? I really want to use the OCSP protocol for several reason (including security consideration) so publication through HTTP protocol is not a good solution for me. Could you help me ?... :) OCSP can't really be used that way unless you include the serial numbers of *all* that CAs certificates in the request. That could result in a very large request and responder overhead. What is your problem with HTTP? A CRL is digitally signed so it can't be tampered with. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]