Project

General

Profile

Feature #2319

Support CRLs for client certificate verification

Added by binbrain about 6 years ago. Updated about 1 month ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
TLS
Target version:
Start date:
2011-06-01
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:
No

Description

I've attached a patch to support local CRLs. This feature has been discussed in tickets #1288 and #2278. The change was developed for 1.4.26 and ported to trunk 1.5 without much effort. The patch can be applied to the SVN 1.5 trunk and works as follows.

  • regular client verification configuration discussed in ticket #1288 apply
  • new config param ssl.ca-crl-file added
  • if ssl.ca-crl-file is set, make sure the client cert isn't revoked

If all goes well, a client using a revoked cert will receive a "SSL peer rejected your certificate as revoked" message. Otherwise, pass through.

ca-crl.patch (3.62 KB) ca-crl.patch patch for 1.5 binbrain, 2011-06-01 19:55
ca-crl-1.4.39.patch (3.51 KB) ca-crl-1.4.39.patch ssl.ca-crl-file patch for 1.4.39 flynn, 2016-03-16 14:45
ca-crl-1.4.42.patch (3.59 KB) ca-crl-1.4.42.patch ssl.ca-crl-file patch for 1.4.42 flynn, 2016-10-31 08:59
0001-mod_openssl-support-for-CRL.patch (4.68 KB) 0001-mod_openssl-support-for-CRL.patch rebased patch for 1.4.45 gportay, 2017-05-12 16:19
ca.pem (1.28 KB) ca.pem the ca pem file - to set in ssl.ca-file gportay, 2017-05-12 16:19
crl.conf (3.41 KB) crl.conf the conf file that has not revocked yet the ca gportay, 2017-05-12 16:19
crl.conf-revocked (3.42 KB) crl.conf-revocked the conf file that has revocked the ca gportay, 2017-05-12 16:19
crl.pem (658 Bytes) crl.pem the crl pem file - to set in ssl.ca-crl-file gportay, 2017-05-12 16:19
crl.pem-revocked (690 Bytes) crl.pem-revocked the crl pem file that has revocked the ca - to set in ssl.ca-crl-file gportay, 2017-05-12 16:19
server.pem (2.94 KB) server.pem the server pem file - to set in ssl.pemfile gportay, 2017-05-12 16:19
revocked-admin.p12 (3.47 KB) revocked-admin.p12 revocked admin PKCS #12 file - to import to web-browser gportay, 2017-05-12 16:54
revocked-admin-certificate.pem (4.39 KB) revocked-admin-certificate.pem revocked admin certificate file - signed with ca - to use with curl gportay, 2017-05-12 16:54
revocked-admin-key.pem (1.64 KB) revocked-admin-key.pem revocked admin key file - to use with curl gportay, 2017-05-12 16:54
2017-05-12-124308_1920x1080_scrot.png (60.5 KB) 2017-05-12-124308_1920x1080_scrot.png Firefox screenshot gportay, 2017-05-12 17:13
ca-crl.patch (3.62 KB) ca-crl.patch tecnomexico, 2017-05-13 16:46

Associated revisions

Revision e422ac12 (diff)
Added by gportay about 1 month ago

[mod_openssl] ssl.ca-crl-file for CRL (fixes #2319)

(original patch by binbrain, and updated by flynn)

github: closes #82

x-ref:
"Support CRLs for client certificate verification"
https://redmine.lighttpd.net/issues/2319
https://github.com/lighttpd/lighttpd1.4/pull/82

History

#1 Updated by darix about 6 years ago

  • File deleted (ca-crl.patch)

#2 Updated by binbrain about 6 years ago

#3 Updated by stbuehler about 6 years ago

  • Target version set to 1.5.0

#4 Updated by flynn over 1 year ago

I adapted the patch for the current version 1.4.39 and it works for me, if the revocation reason code is set to "Privilege Withdrawn".

I would like to see in the next version 1.4.40, especially because there is no effect on existing installations,
as long as the new configuration variable ssl.ca-crl-file is not used.

For the wiki the I suggest the following entry:

ssl.ca-crl-file path to the CRL file in PEM format (revocation list)

#5 Updated by gstrauss over 1 year ago

  • Target version changed from 1.5.0 to 1.4.x

#6 Updated by gstrauss about 1 year ago

  • Category changed from core to TLS

#7 Updated by dirk4000 9 months ago

I would like to see this feature in next version 1.4.42.

#8 Updated by flynn 8 months ago

I updated the patch for the current version 1.4.42 for easier inclusion.

#9 Updated by gstrauss 8 months ago

Thanks, flynn. This won't make today's release, but will likely make the one following.

#10 Updated by gstrauss 6 months ago

Sorry. This won't make 1.4.44. Maybe the following release.

As noted in #2694

Patches are much more likely to be included if there is someone with whom I can discuss the patches, and who can reliably test lighttpd once those patches have been applied (and before the patches are included in a lighttpd release).

See also #2156 where the request for feedback has unfortunately been met with silence.

#11 Updated by gportay about 1 month ago

I rebased the last patch from flynn on top of master (lighttpd-1.4.45-125-gb23065e).

It works great for me.

Feel free to test it. I uploaded files for tests

Test it

Run lighttpd

This let you in

$ sudo lighttpd -Df crl.conf
2017-05-12 12:57:20: (server.c.1278) server started (lighttpd/1.4.46-devel-lighttpd-1.4.45-126-gc10a649) 
...

While this

$ sudo lighttpd -Df crl.conf-revocked
2017-05-12 13:00:15: (server.c.1278) server started (lighttpd/1.4.46-devel-lighttpd-1.4.45-126-gc10a649) 
2017-05-12 13:00:21: (mod_openssl.c.1241) SSL: 1 error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed 

leads to the following error

Secure Connection Failed

An error occurred during a connection to localhost. SSL peer rejected your certificate as revoked. Error code: SSL_ERROR_REVOKED_CERT_ALERT

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Learn moreā€¦

Using Firefox

firefox https://localhost

Firefox screenshot

Using cURL

$ curl --insecure --key revocked-admin-key.pem --cert revocked-admin-certificate.pem --cacert ca.pem --url https://localhost --verbose
* Rebuilt URL to: https://localhost/
*   Trying ::1...
* TCP_NODELAY set
* connect to ::1 port 443 failed: Connection refused
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: ca.pem
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14094414:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked
* Closing connection 0
curl: (35) error:14094414:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked
$ curl --insecure --key revocked-admin-key.pem --cert revocked-admin-certificate.pem --cacert ca.pem --url https://localhost --verbose
* Rebuilt URL to: https://localhost/
*   Trying ::1...
* TCP_NODELAY set
* connect to ::1 port 443 failed: Connection refused
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: ca.pem
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=CA; ST=Quebec; L=Montreal; O=CRL Ltd; OU=IT; CN=www.example-crl.com
*  start date: May 11 23:31:33 2017 GMT
*  expire date: May  9 23:31:33 2027 GMT
*  issuer: C=CA; ST=Quebec; L=Montreal; O=CRL Ltd; OU=IT; CN=www.example-crl.com
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.53.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< Content-Type: text/html
< Accept-Ranges: bytes
< ETag: "691802132" 
< Last-Modified: Fri, 12 May 2017 16:58:51 GMT
< Content-Length: 10
< Date: Fri, 12 May 2017 16:58:56 GMT
< 
It works!
* Connection #0 to host localhost left intact

#14 Updated by gstrauss about 1 month ago

  • Target version changed from 1.4.x to 1.4.46

#15 Updated by gportay about 1 month ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom