RE: A question regarding the way how IIS gets the CRL's

From: Ralph Los (RLos@enteredge.com)
Date: 04/04/02


From: "Ralph Los" <RLos@enteredge.com>
To: "'?????? ??????'" <volkov@skbkontur.ru>
Date: Thu, 4 Apr 2002 11:30:57 -0500

Open up a packet sniffer, and track which ports are being used by the IIS
box out-bound to the client(s). Also...open all ports on the IIS box, and
set up a program like TCPView, or use Netstat to see the incoming
connections from the IIS box --> client, and thus isolate your issue that
way.

There are a bunch of ways to go about this, most of them involve being at
either one end of the conversation or the other, or both

Cheers, post your findings, k?

----------------------------------------|
Ralph M. Los
Sr. Security Engineer and Trainer
          EnterEdge Technology, L.L.C.
          rlos@enteredge.com
          (770) 955-9899 x.206
----------------------------------------|

::-----Original Message-----
::From: volkov@skbkontur.ru [mailto:volkov@skbkontur.ru]
::Sent: Wednesday, April 03, 2002 12:13 PM
::To: focus-ms@securityfocus.com
::Subject: A question regarding the way how IIS gets the CRL's
::
::
::Hello all,
::We have created some web-based application and installed it
::for the customer; It is running on IIS 5.0 - thus W2K. Now,
::all the clients are allowed to work with this application if
::and only if they have a client certificate; only the port 443
::is open. So this web-server supports only HTTPS. The problem
::is as following: we also run the Certification Authority at
::our office, and with its help we distribute the certificates
::for that web-application. Thus, we also publish the CRL's
::every month on our server, and the IIS at the customer's
::knows, where it is to look for the CRL's. But - the port 443
::is not enough for it, and also if we open the port 80 it
::still rejects all the client's certificates, saying that it
::is not able to check the CRL. Though, if we open all ports at
::the customer's service, it is able to check the CRL - and the
::client's certificate. Therefore we suppose, that IIS uses
::some special port or some special way to get the CRL from a
::remote CA. But we were not able to figure out, which way? Can
::anyone help? Thank you,
::
::Leonid Volkov
::
::*********************
::IT Lab, SKB Kontur, Ekaterinburg, Russia
::volkov@skbkontur.ru
::http://otchet.skbkontur.ru
::http://www.skbkontur.ru
::+007(3432)343446
::
::



Relevant Pages

  • Re: Switching from http to https
    ... the default website with SSL not enabled (using port 443) in the IIS. ... a certificate to the program. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Switching from http to https
    ... Port 444 is open. ... only instructions we had were for IIS 5. ... web site to 444, resarted, and came back listening on 444 for https. ... A certificate won't work correctly with the IP address because the ...
    (microsoft.public.inetserver.iis.security)
  • Re: Switching from http to https
    ... You need to verify with absolute certainty that port 444 is open. ... use telnet to see if the web server responds. ... A certificate won't work correctly with the IP address because the ... the default website with SSL not enabled in the IIS. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Switching from http to https
    ... You need to verify with absolute certainty that port 444 is open. ... use telnet to see if the web server responds. ... A certificate won't work correctly with the IP address because the ... the default website with SSL not enabled in the IIS. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Newbie needs help fixing OWA on Exchange 2003
    ... If so then the IIS virtual directories might be messed up. ... completed so they could issue the certificate. ... I did open and forward port 443 ... to the Exchange server on the LAN. ...
    (microsoft.public.exchange.admin)