英文:
openssl do not recognize CRL from HTTP
问题
I'm here to help with the translation. Could you please specify which part you'd like me to translate?
英文:
have a strange issue. When using local CRL files for verifying certificate, everything is ok, but verification fails when done using HTTP (to the same file). This happens regardless of Content-Type, returned by Apache2 - either application/pem-certificate-chain or text/plain give the same result. I have no ideas, where and what need to be fixed - whether this is misconfiguration in Apache (which?!) or error/feature of openssl? Will appreciate any ideas on how to fix this. Thank you.
Local verification (even full chain is verifiable):
root@pkibox:~/simki# openssl verify -CAfile certs/za-fullchain.crt -crl_check -CRLfile crl/crl-a1.pem certs/za.crt
certs/za.crt: OK
root@pkibox:~/simki# openssl verify -CAfile certs/za-fullchain.crt -crl_check_all -CRLfile crl/crl-a1.pem -CRLfile crl/crl-r1.pem certs/za.crt
certs/za.crt: OK
BUT when trying to access this same file over HTTP, I receive error from openssl:
root@pkibox:~/simki# openssl verify -CAfile certs/za-fullchain.crt -crl_check -crl_download certs/za.crt
Unable to load CRL via CDP
802B4BD0EF7F0000:error:1E80006E:HTTP routines:OSSL_HTTP_REQ_CTX_nbio:missing asn1 encoding:../crypto/http/http_client.c:755:
802B4BD0EF7F0000:error:1E800067:HTTP routines:OSSL_HTTP_REQ_CTX_exchange:error receiving:../crypto/http/http_client.c:874:server=http://pki.xxx.net:80
O = SIM, OU = SIM NOC, CN = za
error 3 at 0 depth lookup: unable to get certificate CRL
error certs/za.crt: verification failed
while Apache logs clearly says that file accessed:
pki.xxx.net:80 192.168.255.5 - - [17/Apr/2023:06:24:02 +0000] "GET /crl-a1.pem HTTP/1.0" 200 918 "-" "-"
and cURL test passes successfully:
root@pkibox:~/simki# curl -v http://pki.xxx.net/crl-a1.pem
* Trying 192.168.255.5:80...
* Connected to pki.xxx.net (192.168.255.5) port 80 (#0)
> GET /crl-a1.pem HTTP/1.1
> Host: pki.xxx.net
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 17 Apr 2023 06:23:58 GMT
< Server: Apache/2.4.52 (Ubuntu)
< Last-Modified: Mon, 17 Apr 2023 06:18:28 GMT
< ETag: "286-5f98228c77597"
< Accept-Ranges: bytes
< Content-Length: 646
< Content-Type: application/pem-certificate-chain
<
-----BEGIN X509 CRL-----
MIIBszCBnAIBATANBgkqhkiG9w0BAQsFADA5MQwwCgYDVQQKDANSSU0xEDAOBgNV
BAsMB1JJTSBOT0MxFzAVBgNVBAMMDlJJTSBTaWduaW5nIEExFw0yMzA0MTcwNjE3
[ ... ]
nBLzoS7VkQ==
-----END X509 CRL-----
* Connection #0 to host pki.xxx.net left intact
Certificate itself is ok, verifiable using openssl and contains CRL URI:
root@pkibox:~/simki# openssl x509 -in certs/za.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
[ ... ]
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Client Authentication
[ ... ]
X509v3 CRL Distribution Points:
Full Name:
URI:http://pki.xxx.net/crl-a1.pem
[ ... ]
and the same for CRL PEM:
root@pkibox:~/simki# openssl crl -in /var/www/simki/crl-a1.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = SIM, OU = SIM NOC, CN = SIM Signing A1
Last Update: Apr 17 06:17:27 2023 GMT
Next Update: Apr 16 06:17:27 2024 GMT
CRL extensions:
X509v3 Authority Key Identifier:
6E:5B:C0:D1:03:41:D2:65:49:89:47:F9:D4:48:D5:5E:68:A8:F4:6F
X509v3 CRL Number:
1
No Revoked Certificates.
Signature Algorithm: sha256WithRSAEncryption
[ ... ]
答案1
得分: 1
这不是真正的编程或开发,而是rfc5280所述:
如果DistributionPointName包含类型为URI的通用名称,则必须假定以下语义:URI是指向与相关原因相关的当前CRL的指针,并将由相关的cRLIssuer发布。当使用HTTP或FTP URI方案时,URI必须指向如[RFC2585]中指定的单个DER编码的CRL。通过URI访问的HTTP服务器实现应在响应的content-type头字段中指定媒体类型application/pkix-crl。
注意使用DER而不是PEM。对于HTTP,openssl不会检查标头中的媒体类型(即Content-Type),但实际内容必须符合application/pkix-crl中指定的格式,即DER。
application/pem-certificate-chain由不同的协议(ACME)注册,用于不同的目的(向其主题/所有者颁发证书),此外,它必须仅包含证书,而不是CRL。
附注:您应该知道,许多现今的程序,特别是Chrome和Firefox,不会下载或使用CRL。 OCSP现在更为常见——特别是在TLS握手中携带的“装订”OCSP,无需额外的连接或往返——尽管远非普遍。CABforum要求AIA.OCSPresponder已经有一段时间了,但并未要求在Web的叶子证书中使用CRLDP。即使对于像OpenSSL这样可以使用CRL的程序,仅在CA每年更新CRL时才会对使用无效证书提供有效保护,特别是由于如今大多数叶子证书的有效期很难超过一年起始。但这些考虑显然与编程或开发无关,因此不适用于此处。
英文:
This isn't really programming or development but rfc5280 says
If the DistributionPointName contains a general name of type URI, the
following semantics MUST be assumed: the URI is a pointer to the
current CRL for the associated reasons and will be issued by the
associated cRLIssuer. When the HTTP or FTP URI scheme is used, the
URI MUST point to a single DER encoded CRL as specified in
[RFC2585]. HTTP server implementations accessed via the URI SHOULD
specify the media type application/pkix-crl in the content-type
header field of the response. ...
Note DER not PEM. For HTTP openssl doesn't check the media-type (aka Content-Type) in the header, but the actual content must be that specified for application/pkix-crl which is DER.
application/pem-certificate-chain is registered by a different protocol (ACME) for a different purpose (issuing a cert to its subject/owner), and moreover it must contain only cert(s) not CRL(s).
PS: you should be aware that many programs nowadays, particularly Chrome and Firefox, don't download or use CRLs. OCSP is now more common -- particularly 'stapled' OCSP carried in the TLS handshake, with no extra connections or roundtrips -- though far from universal. CABforum has for a while required AIA.OCSPresponder but not required CRLDP in leaf certs for the web. And even for programs like OpenSSL that (can) use CRL, a CA that updates CRL only yearly won't usefully protect against use of invalid certs, especially since nowadays most leaf certs can't have validity-period much more than a year to start with. But those considerations are definitely not programming or development and thus don't belong here.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论