All,
I=92m not sure if this would be considered a vulnerability or lack of
functionality of Mod_SSL or OpenSSL=2E
Test Platform
Red Hat Linux 9=2E0
Apache 1=2E3=2E31
Mod_SSL 2=2E8=2E18
OpenSSL 0=2E9=2E7d
Apache server is configured for client authentication using digital
certificates and validation of a certificate revocation list (CRL) file=2E=
Certificate Revocation List Concern:
If using the Certificate File directive for a CRL, Apache will start with
an expired CRL file=2E I am trusting several Certificate Authorities, but
only have one CRL file (expired) from one of the CAs=2E I am allowed acces=
s
using a revoked certificate as long as it is not issued from the CA of the=
expired CRL file=2E I am not allowed access if I select a certificate issu=
ed
from the CA of the CRL file I=92m using=2E The logging is correct in that
Apache is going to deny access for all clients of that particular CA until=
I get a new CRL=2E
If using the Symbolic Link directive for the CRL file, Apache will start
with NO CRL file available=2E Apache will allow revoked certificates to
access all protected pages=2E
I=92ve also noticed a similar behavior with path validation when using cli=
ent
authentication and digital certificates=2E It seems as though Apache will
allow access as long as it can find a CA it trusts in the chain of the
client=92s certificate=2E Shouldn=92t Apache/Mod_SSL validate the trust of=
each
CA in the path for a client certificate? You can configure how deep to
validate the certificate, but it seems as though it=92s just going to chec=
k
as far up the chain until it finds a CA certificate it trusts and then
stops=2E
Internet Explorer was vulnerable to this type of attack because the browse=
r
did not validate the trust of each certificate in the chain=2E Someone cou=
ld
stand up their own CA using OpenSSL and issue digital certificates using a=
signed certificate from a higher level CA=2E Internet Explorer would just
look through the tree until it found a CA that was trusted instead of
alerting the user that a rogue CA certificate had been found in the path=2E=
Any feedback would be appreciated=2E
Thanks,
Rene
------------------------------------------------------------ --------
mail2web - Check your email from the web at
http://mail2web=2Ecom/ =2E
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org
