https://redmine.lighttpd.net/https://redmine.lighttpd.net/favicon.ico?13667327412011-06-01T19:43:58Zlighty labsLighttpd - Feature #2319: Support CRLs for client certificate verificationhttps://redmine.lighttpd.net/issues/2319?journal_id=74872011-06-01T19:43:58Zdarix
<ul><li><strong>File</strong> deleted (<del><i>ca-crl.patch</i></del>)</li></ul> Lighttpd - Feature #2319: Support CRLs for client certificate verificationhttps://redmine.lighttpd.net/issues/2319?journal_id=74882011-06-01T19:55:17Zbinbrain
<ul><li><strong>File</strong> <a href="/attachments/1277">ca-crl.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1277/ca-crl.patch">ca-crl.patch</a> added</li></ul> Lighttpd - Feature #2319: Support CRLs for client certificate verificationhttps://redmine.lighttpd.net/issues/2319?journal_id=75312011-06-15T11:05:55Zstbuehler
<ul><li><strong>Target version</strong> set to <i>1.5.0</i></li></ul> Lighttpd - Feature #2319: Support CRLs for client certificate verificationhttps://redmine.lighttpd.net/issues/2319?journal_id=91212016-03-16T14:46:31Zflynn
<ul><li><strong>File</strong> <a href="/attachments/1692">ca-crl-1.4.39.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1692/ca-crl-1.4.39.patch">ca-crl-1.4.39.patch</a> added</li></ul><p>I adapted the patch for the current version 1.4.39 and it works for me, if the revocation reason code is set to "Privilege Withdrawn".</p>
<p>I would like to see in the next version 1.4.40, especially because there is no effect on existing installations,<br />as long as the new configuration variable ssl.ca-crl-file is not used.</p>
<p>For the wiki the I suggest the following entry:</p>
<p>ssl.ca-crl-file path to the CRL file in PEM format (revocation list)</p> Lighttpd - Feature #2319: Support CRLs for client certificate verificationhttps://redmine.lighttpd.net/issues/2319?journal_id=91222016-03-16T19:52:52Zgstrauss
<ul><li><strong>Target version</strong> changed from <i>1.5.0</i> to <i>1.4.x</i></li></ul> Lighttpd - Feature #2319: Support CRLs for client certificate verificationhttps://redmine.lighttpd.net/issues/2319?journal_id=95272016-05-01T07:10:56Zgstrauss
<ul><li><strong>Category</strong> changed from <i>core</i> to <i>TLS</i></li></ul> Lighttpd - Feature #2319: Support CRLs for client certificate verificationhttps://redmine.lighttpd.net/issues/2319?journal_id=105562016-10-11T20:41:45Zdirk4000
<ul></ul><p>I would like to see this feature in next version 1.4.42.</p> Lighttpd - Feature #2319: Support CRLs for client certificate verificationhttps://redmine.lighttpd.net/issues/2319?journal_id=106052016-10-31T09:01:03Zflynn
<ul><li><strong>File</strong> <a href="/attachments/1729">ca-crl-1.4.42.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1729/ca-crl-1.4.42.patch">ca-crl-1.4.42.patch</a> added</li></ul><p>I updated the patch for the current version 1.4.42 for easier inclusion.</p> Lighttpd - Feature #2319: Support CRLs for client certificate verificationhttps://redmine.lighttpd.net/issues/2319?journal_id=106062016-10-31T13:00:00Zgstrauss
<ul></ul><p>Thanks, flynn. This won't make today's release, but will likely make the one following.</p> Lighttpd - Feature #2319: Support CRLs for client certificate verificationhttps://redmine.lighttpd.net/issues/2319?journal_id=106962016-12-22T05:11:13Zgstrauss
<ul></ul><p>Sorry. This won't make 1.4.44. Maybe the following release.</p>
<p>As noted in <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: [PATCH] add support for ssl.cadn-file (Fixed)" href="https://redmine.lighttpd.net/issues/2694">#2694</a></p>
<blockquote>
<p>Patches are much more likely to be included if there is someone with whom I can discuss the patches, and who can reliably test lighttpd once those patches have been applied (and before the patches are included in a lighttpd release).</p>
</blockquote>
<p>See also <a class="issue tracker-2 status-5 priority-3 priority-lowest closed" title="Feature: request: support Chunked Transfer Coding for HTTP PUT (Fixed)" href="https://redmine.lighttpd.net/issues/2156">#2156</a> where the request for feedback has unfortunately been met with silence.</p> Lighttpd - Feature #2319: Support CRLs for client certificate verificationhttps://redmine.lighttpd.net/issues/2319?journal_id=110192017-05-12T17:12:43Zgportay
<ul><li><strong>File</strong> <a href="/attachments/1781">0001-mod_openssl-support-for-CRL.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1781/0001-mod_openssl-support-for-CRL.patch">0001-mod_openssl-support-for-CRL.patch</a> added</li><li><strong>File</strong> <a href="/attachments/1782">ca.pem</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1782/ca.pem">ca.pem</a> added</li><li><strong>File</strong> <a href="/attachments/1783">crl.conf</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1783/crl.conf">crl.conf</a> added</li><li><strong>File</strong> <a href="/attachments/1784">crl.conf-revocked</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1784/crl.conf-revocked">crl.conf-revocked</a> added</li><li><strong>File</strong> <a href="/attachments/1785">crl.pem</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1785/crl.pem">crl.pem</a> added</li><li><strong>File</strong> <a href="/attachments/1786">crl.pem-revocked</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1786/crl.pem-revocked">crl.pem-revocked</a> added</li><li><strong>File</strong> <a href="/attachments/1787">server.pem</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1787/server.pem">server.pem</a> added</li><li><strong>File</strong> <a href="/attachments/1790">revocked-admin.p12</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1790/revocked-admin.p12">revocked-admin.p12</a> added</li><li><strong>File</strong> <a href="/attachments/1791">revocked-admin-certificate.pem</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1791/revocked-admin-certificate.pem">revocked-admin-certificate.pem</a> added</li><li><strong>File</strong> <a href="/attachments/1792">revocked-admin-key.pem</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1792/revocked-admin-key.pem">revocked-admin-key.pem</a> added</li></ul><p>I rebased the last patch from flynn on top of master (lighttpd-1.4.45-125-gb23065e).</p>
<p>It works great for me.</p>
<p>Feel free to test it. I uploaded files for tests</p>
<a name="Test-it"></a>
<h1 >Test it<a href="#Test-it" class="wiki-anchor">¶</a></h1>
<a name="Run-lighttpd"></a>
<h2 >Run lighttpd<a href="#Run-lighttpd" class="wiki-anchor">¶</a></h2>
<p>This let you in</p>
<pre>
$ sudo lighttpd -Df crl.conf
2017-05-12 12:57:20: (server.c.1278) server started (lighttpd/1.4.46-devel-lighttpd-1.4.45-126-gc10a649)
...
</pre>
<p>While this</p>
<pre>
$ sudo lighttpd -Df crl.conf-revocked
2017-05-12 13:00:15: (server.c.1278) server started (lighttpd/1.4.46-devel-lighttpd-1.4.45-126-gc10a649)
2017-05-12 13:00:21: (mod_openssl.c.1241) SSL: 1 error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
</pre>
<p>leads to the following error</p>
<blockquote>
<p>Secure Connection Failed</p>
<p>An error occurred during a connection to localhost. SSL peer rejected your certificate as revoked. Error code: SSL_ERROR_REVOKED_CERT_ALERT</p>
<p>The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.<br />Please contact the website owners to inform them of this problem.</p>
<p>Learn moreā¦</p>
</blockquote>
<a name="Using-Firefox"></a>
<h2 >Using Firefox<a href="#Using-Firefox" class="wiki-anchor">¶</a></h2>
<pre>
firefox https://localhost
</pre>
<p><img src="https://redmine.lighttpd.net/attachments/download/1793/2017-05-12-124308_1920x1080_scrot.png" title="Firefox screenshot" alt="Firefox screenshot" loading="lazy" /></p>
<a name="Using-cURL"></a>
<h2 >Using cURL<a href="#Using-cURL" class="wiki-anchor">¶</a></h2>
<pre>
$ curl --insecure --key revocked-admin-key.pem --cert revocked-admin-certificate.pem --cacert ca.pem --url https://localhost --verbose
* Rebuilt URL to: https://localhost/
* Trying ::1...
* TCP_NODELAY set
* connect to ::1 port 443 failed: Connection refused
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: ca.pem
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14094414:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked
* Closing connection 0
curl: (35) error:14094414:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked
</pre>
<pre>
$ curl --insecure --key revocked-admin-key.pem --cert revocked-admin-certificate.pem --cacert ca.pem --url https://localhost --verbose
* Rebuilt URL to: https://localhost/
* Trying ::1...
* TCP_NODELAY set
* connect to ::1 port 443 failed: Connection refused
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: ca.pem
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=CA; ST=Quebec; L=Montreal; O=CRL Ltd; OU=IT; CN=www.example-crl.com
* start date: May 11 23:31:33 2017 GMT
* expire date: May 9 23:31:33 2027 GMT
* issuer: C=CA; ST=Quebec; L=Montreal; O=CRL Ltd; OU=IT; CN=www.example-crl.com
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.53.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html
< Accept-Ranges: bytes
< ETag: "691802132"
< Last-Modified: Fri, 12 May 2017 16:58:51 GMT
< Content-Length: 10
< Date: Fri, 12 May 2017 16:58:56 GMT
<
It works!
* Connection #0 to host localhost left intact
</pre> Lighttpd - Feature #2319: Support CRLs for client certificate verificationhttps://redmine.lighttpd.net/issues/2319?journal_id=110202017-05-12T17:13:47Zgportay
<ul><li><strong>File</strong> <a href="/attachments/1793">2017-05-12-124308_1920x1080_scrot.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1793/2017-05-12-124308_1920x1080_scrot.png">2017-05-12-124308_1920x1080_scrot.png</a> added</li></ul> Lighttpd - Feature #2319: Support CRLs for client certificate verificationhttps://redmine.lighttpd.net/issues/2319?journal_id=110212017-05-13T16:47:36Ztecnomexico
<ul><li><strong>File</strong> <a href="/attachments/1794">ca-crl.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1794/ca-crl.patch">ca-crl.patch</a> added</li></ul> Lighttpd - Feature #2319: Support CRLs for client certificate verificationhttps://redmine.lighttpd.net/issues/2319?journal_id=110222017-05-16T01:45:12Zgstrauss
<ul><li><strong>Target version</strong> changed from <i>1.4.x</i> to <i>1.4.46</i></li></ul> Lighttpd - Feature #2319: Support CRLs for client certificate verificationhttps://redmine.lighttpd.net/issues/2319?journal_id=110312017-05-16T03:30:09Zgportay
<ul><li><strong>Status</strong> changed from <i>Patch Pending</i> to <i>Fixed</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="[mod_openssl] ssl.ca-crl-file for CRL (fixes #2319) (original patch by binbrain, and updated by ..." href="https://redmine.lighttpd.net/projects/lighttpd/repository/14/revisions/e422ac128ab38230a1315e9a441f25a7b7ceef1c">e422ac128ab38230a1315e9a441f25a7b7ceef1c</a>.</p>