[Date Prev][Date Next] [Chronological] [Thread] [Top]

CRL with OpenSSL

To: openldap-technical@openldap.org (openldap-technical@openldap.org)
Subject: CRL with OpenSSL
From: manu@netbsd.org (Emmanuel Dreyfus)
Date: Sun, 13 Apr 2014 06:09:32 +0200
User-agent: MacSOUP/2.7 (unregistered for 2640 days)

Hi

A cautious handling of heatbleed included renewing private keys and
certificates. But that is of no interest if the possibly compromised
certificate is not revoked, or if revokation is not enforced.

I therefore tried CRL in OpenLDAP (linked with OpenSSL). I first started
with client settings, in ~/.ldaprc:

BASE    dc=example,dc=net
URI     ldaps://ldap.example.net
TLS_CACERT      /etc/openssl/certs/ca.crt
TLS_REQCERT     demand
TLS_CACERTDIR   /home/manu/openssl/ca
TLS_CRLCHECK    all

As suggested in the man page, I added a copy of
/etc/openssl/certs/ca.crt in /home/manu/openssl/ca and tried a
ldapsearch on the server. It fails, and with debug output I have:

TLS certificate verification: Error, unable to get certificate CRL
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable
to get certificate CRL).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

kernel trace show that before the error message, it attemps to open
/home/manu/openssl/ca/0726b466.r0

If I rename the CA to that name, it will read it, then fail on:

TLS certificate verification: Error, unable to get certificate CRL
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:0906D06C:PEM routines:PEM_read_bio:no start
line.

That suggests the man page is wrong and it is not expecting a CA there.
If I remove the CA from /home/manu/openssl/ca/ and copy the CRL in
/home/manu/openssl/ca/0726b466.r0, it reads it without a complain, then
tries to read /home/manu/openssl/ca/0726b466.r1 and fail there.

If I copy /home/manu/openssl/ca/0726b466.r0 to
/home/manu/openssl/ca/0726b466.r1, the message suggests that it is
indeed trying to load the CRL from that file:
TLS: can't connect: error:0B07D065:x509 certificate
routines:X509_STORE_add_crl:cert already in hash table.

I have a few questions before I start to read the code, just in case it
is a known issue:

Why the cryptic file names? And why do I need a second 0726b466.r1 file?
Using TLS_CRLCHECK    peer instead of TLS_CRLCHECK    all does not
change the behavior.

And is OpenSSL CRL supposed to work? This is OpenLDAP 2.4.33

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org

Follow-Ups:
- Re: CRL with OpenSSL
  - From: Christian Kratzer <ck-lists@cksoft.de>

Prev by Date: Re: Problems with slapo-rwm
Next by Date: Re: CRL with OpenSSL
Index(es):
- Chronological
- Thread