Feature #2319
closedSupport CRLs for client certificate verification
Description
I've attached a patch to support local CRLs. This feature has been discussed in tickets #1288 and #2278. The change was developed for 1.4.26 and ported to trunk 1.5 without much effort. The patch can be applied to the SVN 1.5 trunk and works as follows.
- regular client verification configuration discussed in ticket #1288 apply
- new config param ssl.ca-crl-file added
- if ssl.ca-crl-file is set, make sure the client cert isn't revoked
If all goes well, a client using a revoked cert will receive a "SSL peer rejected your certificate as revoked" message. Otherwise, pass through.
Files
Updated by flynn almost 9 years ago
- File ca-crl-1.4.39.patch ca-crl-1.4.39.patch added
I adapted the patch for the current version 1.4.39 and it works for me, if the revocation reason code is set to "Privilege Withdrawn".
I would like to see in the next version 1.4.40, especially because there is no effect on existing installations,
as long as the new configuration variable ssl.ca-crl-file is not used.
For the wiki the I suggest the following entry:
ssl.ca-crl-file path to the CRL file in PEM format (revocation list)
Updated by gstrauss almost 9 years ago
- Target version changed from 1.5.0 to 1.4.x
Updated by dirk4000 about 8 years ago
I would like to see this feature in next version 1.4.42.
Updated by flynn about 8 years ago
- File ca-crl-1.4.42.patch ca-crl-1.4.42.patch added
I updated the patch for the current version 1.4.42 for easier inclusion.
Updated by gstrauss about 8 years ago
Thanks, flynn. This won't make today's release, but will likely make the one following.
Updated by gstrauss about 8 years ago
Sorry. This won't make 1.4.44. Maybe the following release.
As noted in #2694
Patches are much more likely to be included if there is someone with whom I can discuss the patches, and who can reliably test lighttpd once those patches have been applied (and before the patches are included in a lighttpd release).
See also #2156 where the request for feedback has unfortunately been met with silence.
Updated by gportay over 7 years ago
- File 0001-mod_openssl-support-for-CRL.patch 0001-mod_openssl-support-for-CRL.patch added
- File ca.pem ca.pem added
- File crl.conf crl.conf added
- File crl.conf-revocked crl.conf-revocked added
- File crl.pem crl.pem added
- File crl.pem-revocked crl.pem-revocked added
- File server.pem server.pem added
- File revocked-admin.p12 revocked-admin.p12 added
- File revocked-admin-certificate.pem revocked-admin-certificate.pem added
- File revocked-admin-key.pem revocked-admin-key.pem added
I rebased the last patch from flynn on top of master (lighttpd-1.4.45-125-gb23065e).
It works great for me.
Feel free to test it. I uploaded files for tests
Test it¶
Run lighttpd¶
This let you in
$ sudo lighttpd -Df crl.conf 2017-05-12 12:57:20: (server.c.1278) server started (lighttpd/1.4.46-devel-lighttpd-1.4.45-126-gc10a649) ...
While this
$ sudo lighttpd -Df crl.conf-revocked 2017-05-12 13:00:15: (server.c.1278) server started (lighttpd/1.4.46-devel-lighttpd-1.4.45-126-gc10a649) 2017-05-12 13:00:21: (mod_openssl.c.1241) SSL: 1 error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
leads to the following error
Secure Connection Failed
An error occurred during a connection to localhost. SSL peer rejected your certificate as revoked. Error code: SSL_ERROR_REVOKED_CERT_ALERT
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.Learn moreā¦
Using Firefox¶
firefox https://localhost
Using cURL¶
$ curl --insecure --key revocked-admin-key.pem --cert revocked-admin-certificate.pem --cacert ca.pem --url https://localhost --verbose * Rebuilt URL to: https://localhost/ * Trying ::1... * TCP_NODELAY set * connect to ::1 port 443 failed: Connection refused * Trying 127.0.0.1... * TCP_NODELAY set * Connected to localhost (127.0.0.1) port 443 (#0) * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: ca.pem CApath: none * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Request CERT (13): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Certificate (11): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS handshake, CERT verify (15): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS alert, Server hello (2): * error:14094414:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked * Closing connection 0 curl: (35) error:14094414:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked
$ curl --insecure --key revocked-admin-key.pem --cert revocked-admin-certificate.pem --cacert ca.pem --url https://localhost --verbose * Rebuilt URL to: https://localhost/ * Trying ::1... * TCP_NODELAY set * connect to ::1 port 443 failed: Connection refused * Trying 127.0.0.1... * TCP_NODELAY set * Connected to localhost (127.0.0.1) port 443 (#0) * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: ca.pem CApath: none * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Request CERT (13): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Certificate (11): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS handshake, CERT verify (15): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Client hello (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: C=CA; ST=Quebec; L=Montreal; O=CRL Ltd; OU=IT; CN=www.example-crl.com * start date: May 11 23:31:33 2017 GMT * expire date: May 9 23:31:33 2027 GMT * issuer: C=CA; ST=Quebec; L=Montreal; O=CRL Ltd; OU=IT; CN=www.example-crl.com * SSL certificate verify result: self signed certificate (18), continuing anyway. > GET / HTTP/1.1 > Host: localhost > User-Agent: curl/7.53.1 > Accept: */* > < HTTP/1.1 200 OK < Content-Type: text/html < Accept-Ranges: bytes < ETag: "691802132" < Last-Modified: Fri, 12 May 2017 16:58:51 GMT < Content-Length: 10 < Date: Fri, 12 May 2017 16:58:56 GMT < It works! * Connection #0 to host localhost left intact
Updated by gportay over 7 years ago
Updated by gstrauss over 7 years ago
- Target version changed from 1.4.x to 1.4.46
Updated by gportay over 7 years ago
- Status changed from Patch Pending to Fixed
- % Done changed from 0 to 100
Applied in changeset e422ac128ab38230a1315e9a441f25a7b7ceef1c.
Also available in: Atom