All=2C

I am working in an environment utilizing a PKI consisting of several =

Root and Intermediate Certificate Authorities=2E In order to reduce the =

overhead when requiring client authentication using digital =

certificates=2C I am using the following two directives=3A

SSLCACertificatePath =96 Used for Root and Intermediate CAs
SSLCARevocationPath =96 Used to Process Certificate Revocation Lists

I=92ve yet to encounter a version of Apache and Mod=5FSSL performing prop=
er =

path validation=2E If a user presents a certificate that is revoked=2C bu=
t =

not included in the directory containing all the PEM/Base64 encoded CRL =

files and associated symbolic links=2C Apache allows access=2E =


If a user presents a certificate issued from an Intermediate =

Certificate Authority that is not included in the directory containing =

all the Root and Intermediate CA certificates in PEM/Base64 encoded =

format and associated symbolic links=2C he/she is allowed access=2E

I would prefer the system to validate the entire chain and not allow =

access in the event a local CRL file or Intermediate CA certificate is =

not available=2E By default=2C IIS performs this path validation correctl=
y=2E =

If IIS does not have a current CRL file issued by each and every CA in =

the certificate path=2C the client is denied access=2E If IIS does not ha=
ve =

a certificate from each and every CA in the certificate path=2C the =

client is denied access=2E

I am trying to automate the process of updating the CA certificate =

directory and associated CRL directories by scheduling a job to run on =

a nightly basis=2E If Apache has a local CRL and CA certificate from each=
=

and every CA in the path used to issue the client certificates=2C then =

all checks are performed and the client is properly validated=2E =


I would prefer the system default to =93Closed=94 instead of =93Open=94 i=
n the =

event an Intermediate CA certificate is unavailable or no CRL file is =

available=2E Again=2C the system must have at least one CA certificate =

trusted and available locally=2C but no CRL files=2E

Note=3A I have issued a client certificate from a client certificate =

issued by on of the Intermediate CAs and Apache does deny access =

because the key usage of the client certificate does not allow it to be =

used as a Root CA and issue additional client certificates=2E I used =

OpenSSL in order to issue client certificates from a client =

certificate=2E This type of path validation seems to work on all the =

versions of Apache and Mod=5FSSL I=92ve tested=2E

Thanks
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

Hi There:

The limitations of mod_ssl for path validation are further than what you ha=
ve
described, in that it also cannot perform policy mapping up the entire
certificate chain, and also has no concept of how to deal with AIA or SIA
fields. I'm not sure where the developers are in terms of full RFC 3280 Pat=
h
Validation compliance, but as we also have a need for more full path
validation, especially a model that will work in a Cross-Certification type=

environment.

It is our intent to be starting to work on this this fall, unless we hear f=
rom
the community that there is already work underway to add in full 3280
validation to mod_ssl.

(I'll probably take this over to modssl-devel, but since you asked, I thoug=
ht
that I would bring it up here.)

Cheers.

On Thursday 31 August 2006 08:53, rlabbe [at] satx.rr.com wrote:
> All,
>
> I am working in an environment utilizing a PKI consisting of several
> Root and Intermediate Certificate Authorities. In order to reduce the
> overhead when requiring client authentication using digital
> certificates, I am using the following two directives:
>
> SSLCACertificatePath =96 Used for Root and Intermediate CAs
> SSLCARevocationPath =96 Used to Process Certificate Revocation Lists
>
> I=92ve yet to encounter a version of Apache and Mod_SSL performing proper
> path validation. If a user presents a certificate that is revoked, but
> not included in the directory containing all the PEM/Base64 encoded CRL
> files and associated symbolic links, Apache allows access.
>
> If a user presents a certificate issued from an Intermediate
> Certificate Authority that is not included in the directory containing
> all the Root and Intermediate CA certificates in PEM/Base64 encoded
> format and associated symbolic links, he/she is allowed access.
>
> I would prefer the system to validate the entire chain and not allow
> access in the event a local CRL file or Intermediate CA certificate is
> not available. By default, IIS performs this path validation correctly.
> If IIS does not have a current CRL file issued by each and every CA in
> the certificate path, the client is denied access. If IIS does not have
> a certificate from each and every CA in the certificate path, the
> client is denied access.
>
> I am trying to automate the process of updating the CA certificate
> directory and associated CRL directories by scheduling a job to run on
> a nightly basis. If Apache has a local CRL and CA certificate from each
> and every CA in the path used to issue the client certificates, then
> all checks are performed and the client is properly validated.
>
> I would prefer the system default to =93Closed=94 instead of =93Open=94 i=
n the
> event an Intermediate CA certificate is unavailable or no CRL file is
> available. Again, the system must have at least one CA certificate
> trusted and available locally, but no CRL files.
>
> Note: I have issued a client certificate from a client certificate
> issued by on of the Intermediate CAs and Apache does deny access
> because the key usage of the client certificate does not allow it to be
> used as a Root CA and issue additional client certificates. I used
> OpenSSL in order to issue client certificates from a client
> certificate. This type of path validation seems to work on all the
> versions of Apache and Mod_SSL I=92ve tested.
>
> Thanks
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users [at] modssl.org
> Automated List Manager majordomo [at] modssl.org

=2D-
Patrick Patterson
President and CEO
Carillon Information Security Inc.
http://www.carillon.ca
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

On Thursday 31 August 2006 09:14, Patrick Patterson wrote:

> (I'll probably take this over to modssl-devel, but since you asked, I
> thought that I would bring it up here.)
>

Hmm - I thought there WAS a developers mailing list, but apparently I was
mistaken - so I guess I have to ask is this the right place to have
discussions about the best way to add in the capability for mod_ssl to do
full 3280 path validation?

Thanks.

--
Patrick Patterson
President and CEO
Carillon Information Security Inc.
http://www.carillon.ca
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

On Thu, Aug 31, 2006 at 09:17:10AM -0400, Patrick Patterson wrote:
> On Thursday 31 August 2006 09:14, Patrick Patterson wrote:
>
> > (I'll probably take this over to modssl-devel, but since you asked, I
> > thought that I would bring it up here.)
> >
>
> Hmm - I thought there WAS a developers mailing list, but apparently I was
> mistaken - so I guess I have to ask is this the right place to have
> discussions about the best way to add in the capability for mod_ssl to do
> full 3280 path validation?

New mod_ssl development generally happens in the httpd 2.x tree, so
dev [at] httpd.apache.org is where it is discussed. I don't think Ralf is
adding new features to mod_ssl 2.8 any more.

Regards,

joe
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org