Actions

Copy link

Feature #2319

closed

Support CRLs for client certificate verification

Added by binbrain almost 13 years ago. Updated almost 7 years ago.

Status:

Fixed

Priority:

Normal

Category:

TLS

Target version:

1.4.46

ASK QUESTIONS IN Forums:

Description

I've attached a patch to support local CRLs. This feature has been discussed in tickets #1288 and #2278. The change was developed for 1.4.26 and ported to trunk 1.5 without much effort. The patch can be applied to the SVN 1.5 trunk and works as follows.

regular client verification configuration discussed in ticket #1288 apply
new config param ssl.ca-crl-file added
if ssl.ca-crl-file is set, make sure the client cert isn't revoked

If all goes well, a client using a revoked cert will receive a "SSL peer rejected your certificate as revoked" message. Otherwise, pass through.

Files

Download all files

ca-crl.patch (3.62 KB) ca-crl.patch	patch for 1.5	binbrain, 2011-06-01 19:55
ca-crl-1.4.39.patch (3.51 KB) ca-crl-1.4.39.patch	ssl.ca-crl-file patch for 1.4.39	flynn, 2016-03-16 14:45
ca-crl-1.4.42.patch (3.59 KB) ca-crl-1.4.42.patch	ssl.ca-crl-file patch for 1.4.42	flynn, 2016-10-31 08:59
0001-mod_openssl-support-for-CRL.patch (4.68 KB) 0001-mod_openssl-support-for-CRL.patch	rebased patch for 1.4.45	gportay, 2017-05-12 16:19
ca.pem (1.28 KB) ca.pem	the ca pem file - to set in ssl.ca-file	gportay, 2017-05-12 16:19
crl.conf (3.41 KB) crl.conf	the conf file that has not revocked yet the ca	gportay, 2017-05-12 16:19
crl.conf-revocked (3.42 KB) crl.conf-revocked	the conf file that has revocked the ca	gportay, 2017-05-12 16:19
crl.pem (658 Bytes) crl.pem	the crl pem file - to set in ssl.ca-crl-file	gportay, 2017-05-12 16:19
crl.pem-revocked (690 Bytes) crl.pem-revocked	the crl pem file that has revocked the ca - to set in ssl.ca-crl-file	gportay, 2017-05-12 16:19
server.pem (2.94 KB) server.pem	the server pem file - to set in ssl.pemfile	gportay, 2017-05-12 16:19
revocked-admin.p12 (3.47 KB) revocked-admin.p12	revocked admin PKCS #12 file - to import to web-browser	gportay, 2017-05-12 16:54
revocked-admin-certificate.pem (4.39 KB) revocked-admin-certificate.pem	revocked admin certificate file - signed with ca - to use with curl	gportay, 2017-05-12 16:54
revocked-admin-key.pem (1.64 KB) revocked-admin-key.pem	revocked admin key file - to use with curl	gportay, 2017-05-12 16:54
2017-05-12-124308_1920x1080_scrot.png (60.5 KB) 2017-05-12-124308_1920x1080_scrot.png	Firefox screenshot	gportay, 2017-05-12 17:13
ca-crl.patch (3.62 KB) ca-crl.patch		tecnomexico, 2017-05-13 16:46

Actions

Copy link

Updated by darix almost 13 years ago

File deleted (~~ca-crl.patch~~)

Actions

Copy link

Updated by binbrain almost 13 years ago

File ca-crl.patch ca-crl.patch added

Actions

Copy link

Updated by stbuehler almost 13 years ago

Target version set to 1.5.0

Actions

Copy link

Updated by flynn about 8 years ago

File ca-crl-1.4.39.patch ca-crl-1.4.39.patch added

I adapted the patch for the current version 1.4.39 and it works for me, if the revocation reason code is set to "Privilege Withdrawn".

I would like to see in the next version 1.4.40, especially because there is no effect on existing installations,
as long as the new configuration variable ssl.ca-crl-file is not used.

For the wiki the I suggest the following entry:

ssl.ca-crl-file path to the CRL file in PEM format (revocation list)

Actions

Copy link

Updated by gstrauss about 8 years ago

Target version changed from 1.5.0 to 1.4.x

Actions

Copy link

Updated by gstrauss almost 8 years ago

Category changed from core to TLS

Actions

Copy link

Updated by dirk4000 over 7 years ago

I would like to see this feature in next version 1.4.42.

Actions

Copy link

Updated by flynn over 7 years ago

File ca-crl-1.4.42.patch ca-crl-1.4.42.patch added

I updated the patch for the current version 1.4.42 for easier inclusion.

Actions

Copy link

Updated by gstrauss over 7 years ago

Thanks, flynn. This won't make today's release, but will likely make the one following.

Actions

Copy link

#10

Updated by gstrauss over 7 years ago

Sorry. This won't make 1.4.44. Maybe the following release.

As noted in #2694

Patches are much more likely to be included if there is someone with whom I can discuss the patches, and who can reliably test lighttpd once those patches have been applied (and before the patches are included in a lighttpd release).

See also #2156 where the request for feedback has unfortunately been met with silence.

Actions

Copy link Download all files

#11

Updated by gportay almost 7 years ago

File 0001-mod_openssl-support-for-CRL.patch 0001-mod_openssl-support-for-CRL.patch added
File ca.pem ca.pem added
File crl.conf crl.conf added
File crl.conf-revocked crl.conf-revocked added
File crl.pem crl.pem added
File crl.pem-revocked crl.pem-revocked added
File server.pem server.pem added
File revocked-admin.p12 revocked-admin.p12 added
File revocked-admin-certificate.pem revocked-admin-certificate.pem added
File revocked-admin-key.pem revocked-admin-key.pem added

I rebased the last patch from flynn on top of master (lighttpd-1.4.45-125-gb23065e).

It works great for me.

Feel free to test it. I uploaded files for tests

Test it¶

Run lighttpd¶

This let you in

$ sudo lighttpd -Df crl.conf
2017-05-12 12:57:20: (server.c.1278) server started (lighttpd/1.4.46-devel-lighttpd-1.4.45-126-gc10a649) 
...

While this

$ sudo lighttpd -Df crl.conf-revocked
2017-05-12 13:00:15: (server.c.1278) server started (lighttpd/1.4.46-devel-lighttpd-1.4.45-126-gc10a649) 
2017-05-12 13:00:21: (mod_openssl.c.1241) SSL: 1 error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed

leads to the following error

Secure Connection Failed

An error occurred during a connection to localhost. SSL peer rejected your certificate as revoked. Error code: SSL_ERROR_REVOKED_CERT_ALERT

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Learn more…

Using Firefox¶

firefox https://localhost

Firefox screenshot

Using cURL¶

$ curl --insecure --key revocked-admin-key.pem --cert revocked-admin-certificate.pem --cacert ca.pem --url https://localhost --verbose
* Rebuilt URL to: https://localhost/
*   Trying ::1...
* TCP_NODELAY set
* connect to ::1 port 443 failed: Connection refused
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: ca.pem
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14094414:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked
* Closing connection 0
curl: (35) error:14094414:SSL routines:ssl3_read_bytes:sslv3 alert certificate revoked

$ curl --insecure --key revocked-admin-key.pem --cert revocked-admin-certificate.pem --cacert ca.pem --url https://localhost --verbose
* Rebuilt URL to: https://localhost/
*   Trying ::1...
* TCP_NODELAY set
* connect to ::1 port 443 failed: Connection refused
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: ca.pem
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=CA; ST=Quebec; L=Montreal; O=CRL Ltd; OU=IT; CN=www.example-crl.com
*  start date: May 11 23:31:33 2017 GMT
*  expire date: May  9 23:31:33 2027 GMT
*  issuer: C=CA; ST=Quebec; L=Montreal; O=CRL Ltd; OU=IT; CN=www.example-crl.com
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.53.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< Content-Type: text/html
< Accept-Ranges: bytes
< ETag: "691802132" 
< Last-Modified: Fri, 12 May 2017 16:58:51 GMT
< Content-Length: 10
< Date: Fri, 12 May 2017 16:58:56 GMT
< 
It works!
* Connection #0 to host localhost left intact

Actions

Copy link

#12