EAP-TLS CRL problem - a PKIX guru around?
Hi, I've just had to revoke a certificate, and thus had to configure FreeRADIUS to enable CRL checks. Which went fine, except that while checking a valid cert, the CRL checks bark with something I don't understand. It's not entirely a FreeRADIUS question, but ... maybe enough clueful EAP-TLS deployers around maybe? What I see in debug mode is this: (5760) eap_tls: <<< TLS 1.0 Handshake [length 141a], Certificate (5760) eap_tls: TLS Verify adding attributes (5760) eap_tls: &request:TLS-Client-Cert-Serial := '010d' (5760) eap_tls: &request:TLS-Client-Cert-Expiration := '161028102449Z' (5760) eap_tls: &request:TLS-Client-Cert-Subject := '/C=LU/L=Luxembourg/O=Fondation RESTENA/OU=Secretariat/CN=certuser-2016-009@restena.lu/emailAddress=certuser-2016-009@restena .lu' (5760) eap_tls: &request:TLS-Client-Cert-Issuer := '/C=LU/L=Luxembourg/O=Fondation RESTENA/CN=RESTENA Staff Authentication CA/emailAddress=admin@restena.lu' (5760) eap_tls: &request:TLS-Client-Cert-Common-Name := 'certuser-2016-009@restena.lu' ERROR: (5760) eap_tls: SSL says error 44 : Different CRL scope (5760) eap_tls: >>> TLS 1.0 Alert [length 0002], fatal certificate_unknown ERROR: (5760) eap_tls: TLS Alert write:fatal:certificate unknown tls: TLS_accept: Error in SSLv3 read client certificate B ERROR: (5760) eap_tls: SSL says: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. So... the smoking gun line is "error 44 : Different CRL scope". Which means exactly nothing to me. The cert is issued by TLS-Client-Cert-Issuer := '/C=LU/L=Luxembourg/O=Fondation RESTENA/CN=RESTENA Staff Authentication CA/emailAddress=admin@restena.lu' and the CRL has: Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha512WithRSAEncryption Issuer: /C=LU/L=Luxembourg/O=Fondation RESTENA/CN=RESTENA Staff Authentication CA/emailAddress=admin@restena.lu Last Update: Mar 9 08:57:55 2015 GMT Next Update: Mar 6 08:57:55 2025 GMT CRL extensions: X509v3 Issuer Alternative Name: email:admin@restena.lu X509v3 Authority Key Identifier: keyid:4A:16:64:64:0B:AF:01:3D:5F:B4:9E:BB:B0:6D:FE:F2:E9:81:60:4D DirName:/C=LU/L=Luxembourg/O=Fondation RESTENA/CN=RESTENA Services CA/emailAddress=admin@restena.lu serial:01:00 X509v3 Issuing Distrubution Point: Full Name: URI:https://www.restena.lu/restena-staffauth.crl X509v3 CRL Number: 2 Revoked Certificates: Serial Number: 0103 Revocation Date: Mar 9 08:57:15 2015 GMT CRL entry extensions: X509v3 CRL Reason Code: Affiliation Changed So, the issuer of the CRL matches the issuer of the cert, and the CRL only revokes one of its serials, and it's not the incoming one. What the ... is openssl complaining about here? If anyone knows, please enlighten me... Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 10 Mar 2015, at 13:47, Stefan Winter <stefan.winter@restena.lu> wrote: So... the smoking gun line is "error 44 : Different CRL scope". I suspect the issue is with the certificate itself - there are a few x509 extensions that mean a CRL is asserted to only have certificates revoked for certain reasons, or be partitioned into multiple CRL's. In short, I think OpenSSL believes the CRL is incomplete. What does openssl x509 -noout -text -in <crt> say? Regards, Adam Bishop gpg: 0x6609D460 jisc.ac.uk -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJU/wE5AAoJEKTthRWhpiMvxOcP/3+N4/sXpM4LQ0OtcYE+8WY7 NGQrJJw3VjmRxdLOhsopz9d6oRrIy5ZgZ5yrBZ9ofB/S5wJKvvzh2NYqF/ltmgZA O8tSajWmyjdaQ47lFojPVAhHes/vwfXHPmmoTkrh0c3mh40X6hNC+vwrpK29rEHR eUZVnTN0sRImcXjTGLsoer2hC5ib703RXNMKJzNyKqW+D2DgaajnP9oTrYpnf7jp k0b0ItwvGJsKFMxNKM030MjprKtNqwEI4eLDF1CNSL3DZAs7wfgE/y9E6CpQwcYu MsD4QEwDk/EILOuzsbwqIMXADFYGAYir5+SND6LDgdJFkBCwxvPNt+4dAbGa6GJB +wMfkuGYjI8NZgshdml0w973mndK81gMhV/giaN/OIGQqMjQMFjh+B8dUUn/lx0Z qzdbB/kZZCDGNwIGvQMMQbQ+g26CVcRNp0av6YHeORX/laE/d7TeeCB02zT8cKzB GZPwC+WrVv6gXCz3OI/pynS0+CD8zaD8u1+w184h6Vp9vJsRFPFruB9dd5XO/686 fOO2rU6/OhPNQiPzHyNE3zkn891hIG/ewV613Ov1GRm64za7tVvI63/o2203+4Wo qWPexXy7n/6n/rj68nbiX4wZHt66bnDDtq1UnzHBvn403IgPJ3NJqqmh/AH8NFz5 zunMmsr+BPVbXDwSRdZI =I4vn -----END PGP SIGNATURE----- Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
Hi, the cert itself doesn't contain anything re CRLs (including no CRLDP as I just notice). Keying material snipped, otherwise complete (different serial, but generated from the same script): Certificate: Data: Version: 3 (0x2) Serial Number: 256 (0x100) Signature Algorithm: sha512WithRSAEncryption Issuer: C=LU, L=Luxembourg, O=Fondation RESTENA, CN=RESTENA Staff Authentication CA/emailAddress=admin@restena.lu Validity Not Before: Mar 7 09:31:43 2013 GMT Not After : Mar 11 09:31:43 2016 GMT Subject: C=LU, L=Luxembourg, O=Fondation RESTENA, OU=Technical, CN=almostanonymous@restena.lu/emailAddress=almostanonymous@restena.lu Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b6:60:0a:be:fb:76:d9:8d:7c:c6:c0:a5:d3:95: Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.23735.5.4 CPS: https://www.restena.lu/ca/restena-staffauth-cps.pdf Signature Algorithm: sha512WithRSAEncryption Maybe it's more a problem with the (intermediate) CA's CRL properties in its cert: Certificate: Data: Version: 3 (0x2) Serial Number: 256 (0x100) Signature Algorithm: sha512WithRSAEncryption Issuer: C=LU, L=Luxembourg, O=Fondation RESTENA, CN=RESTENA Services CA/emailAddress=admin@restena.lu Validity Not Before: Feb 20 08:40:33 2013 GMT Not After : Feb 18 08:40:33 2023 GMT Subject: C=LU, L=Luxembourg, O=Fondation RESTENA, CN=RESTENA Staff Authentication CA/emailAddress=admin@restena.lu Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:a4:b3:da:e4:dc:18:5d:ab:d2:67:7f:e7:d1:29: Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 4A:16:64:64:0B:AF:01:3D:5F:B4:9E:BB:B0:6D:FE:F2:E9:81:60:4D X509v3 Authority Key Identifier: keyid:5F:F5:DB:E2:ED:B1:5A:8A:60:E2:E8:35:BC:85:2F:D3:14:24:7B:80 DirName:/C=LU/L=Luxembourg/O=Fondation RESTENA/CN=RESTENA Services CA/emailAddress=admin@restena.lu serial:A7:0A:8C:94:C4:2D:2D:A8 X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Alternative Name: email:admin@restena.lu X509v3 CRL Distribution Points: Full Name: URI:https://www.restena.lu/ca/restena-root.crl Authority Information Access: CA Issuers - URI:http://www.restena.lu X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.23735.5.1 CPS: https://www.restena.lu/ca/restena-root-cps.pdf Signature Algorithm: sha512WithRSAEncryption But here I only see that the cert can sign CRLs, no other constraints. For amoment I was wondering if it's because the CRL has this extra line: X509v3 Authority Key Identifier: keyid:4A:16:64:64:0B:AF:01:3D:5F:B4:9E:BB:B0:6D:FE:F2:E9:81:60:4D DirName:/C=LU/L=Luxembourg/O=Fondation RESTENA/CN=RESTENA Services CA/emailAddress=admin@restena.lu serial:01:00 which is the DirName of the *root* CA. But the root CA is the ultimate authority, so isn't this the correct thing to state? Commerical CA's CRLs don't seem to include any more than the keyid... Stefan On 10.03.2015 15:35, Adam Bishop wrote:
- gpg control packet On 10 Mar 2015, at 13:47, Stefan Winter <stefan.winter@restena.lu> wrote: So... the smoking gun line is "error 44 : Different CRL scope".
I suspect the issue is with the certificate itself - there are a few x509 extensions that mean a CRL is asserted to only have certificates revoked for certain reasons, or be partitioned into multiple CRL's. In short, I think OpenSSL believes the CRL is incomplete.
What does openssl x509 -noout -text -in <crt> say?
Regards,
Adam Bishop
gpg: 0x6609D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 10 Mar 2015, at 15:18, Stefan Winter <stefan.winter@restena.lu> wrote: the cert itself doesn't contain anything re CRLs (including no CRLDP as I just notice). I think you're right about the intermediate being the issue... if your leaf doesn't contain a CRL distribution point then openSSL can't be querying it. I notice that when I'm querying your root CRL, openssl is only returning the first entry. I wonder if it does that when doing an actual validation, as opposed to dumping the CRL. Also From your root CRL: X509v3 Issuing Distrubution Point: 00...,.*https://www.restena.lu/ca/restena-root.crl That looks wrong but given OpenSSL is spelling "distribution" wrong this could be a bug in the text output renderer... Regards, Adam Bishop Systems Development Specialist gpg: 0x6609D460 t: +44 (0)1235 822 245 xmpp: adamb@jabber.dev.ja.net jisc.ac.uk -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJU/xwOAAoJEKTthRWhpiMvEn4P/03krv2M8xmk8em7kGexnqBH rbWjfwkhl2vOTttd+DMjD8KDK5FtpC9c2VCyAo/TgiYX+nh/6PVTxwW4K2rgAPBk XeqdyMIyM92OSH+AZ7kS7nEnQ7yYCU2crLsVqCRoSnOvSHYqwj/vcWPh/Ppj3yN/ 86b2NB5Lw5xU50U66U2xixVI1ClvxOjxGz1GXQqe3HSOdLYw0b2XXXo9K6YeyWXo YkvddCXTpFIN+lHfxDa0w3kg83Sq/lgfnTQJ4jasKn1AQiJwTfvlFzCE8MdjwFUa 7VO3Yj/Q+94jKcZSuizJlbljWdMOh56erKAN4/mx89W4uPTWuFvrgoeWi6VT7vZ2 eQylIRepX5UJCOr1oHEPkm8hHRsJh+UfcEWaozkTfERPu8cHRvVYsMKIzn507Tf9 huW0cCKiJ/mCqEFt7GQtPt56LTA7DeqgXmAjtkxsQ6zikhNH9UQq86LnMWeQdPMM iipbDTHz8HVBAQM/D4fiwUAvh2U0f4XCvp31Nqg1lnNfdFnmJAIRrzn363s6PRvR m3ESoSO8r1qYzu1w77MV2By9rLfW05IiBKo6yx/+KBu6ddMbc+LexJiORJ/lou+T 5ZaRwlPY5s5Op8C8TV/TITH4QxlMHWLBXb5rP6ILrh5b6NTX7pW1heS8nXfh3cPD x1t7abZOZ2Vx7PjrTSde =uHME -----END PGP SIGNATURE----- Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
Hi,
I think you're right about the intermediate being the issue... if your leaf doesn't contain a CRL distribution point then openSSL can't be querying it.
I don't think OpenSSL follows CRLDPs on its own. CRLs need to be on the filesystem besides the CA certs, with c_rehash. Then openssl does its magic based on that data set. I just did an openssl verify for the client certificate on my cmdline, which yielded the same error.
I notice that when I'm querying your root CRL, openssl is only returning the first entry. I wonder if it does that when doing an actual validation, as opposed to dumping the CRL.
Also From your root CRL:
X509v3 Issuing Distrubution Point: 00...,.*https://www.restena.lu/ca/restena-root.crl
That looks wrong but given OpenSSL is spelling "distribution" wrong this could be a bug in the text output renderer...
I get this for an openssl x509 -in ... -noout -text on our root CA: X509v3 CRL Distribution Points: Full Name: URI:https://www.restena.lu/ca/restena-root.crl I think your text output misses the binary representation of "Full Name, URI" and spits out the binary garbage untranslated. So, I'm nowhere closer to finding what's wrong with my CRL. Colleagues from another CA gave me their own (working) CRL to take a look - maybe I should live a simpler life and issue CRL Version 1, which doesn't have any notion of revocation reasons nor authority identifiers. Greetings, Stefan Winter
Regards,
Adam Bishop Systems Development Specialist
gpg: 0x6609D460 t: +44 (0)1235 822 245 xmpp: adamb@jabber.dev.ja.net
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
participants (2)
-
Adam Bishop -
Stefan Winter