Re: Problem with IIS5 - "expired" CRLs not working?
From: Ohaya (ohaya_at_cox.net)
Date: 03/27/04
- Next message: bart_simpson104_at_hotmail.com: "HELP"
- Previous message: Egbert Nierop \(MVP for IIS\): "Re: Error ASP 0178 on Windows 2003 Server (IIS6) by Server.CreateObject on DCOM registred Component"
- In reply to: Ohaya: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Next in thread: Ohaya: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Reply: Ohaya: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Reply: David Cross [MS]: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 27 Mar 2004 17:01:15 -0500
Hi,
I just got done installing Windows 2003 (took me 3 tries :(), and IIS6,
and in this clean, "out-of-the-box" configuration, I tested, and,
indeed, it appears that:
1) Win2K3 *DOES* obey the validity period in the CRLs (whereas Windows
2000 AS apparently does not).
2) Win2K3 *DOES* lock down the website if NO CRL is in the ICA store
(again my client certs don't have CDP populated).
As with the earlier clean-install Win2K AS, this Win2K3 install was as a
standalone server (no AD and no Certificate Services).
Re. #2 above, I need to add that initially, obviously, there was not a
CRL stored in the ICA, and in this initial configuration, IIS6 did allow
connections.
I then did testing using CertMgr to add a CRL (to test the validity
period checking), and after that, I deleted the CRL from the ICA.
After I deleted the CRL from the ICA, IIS6 would not allow connections.
Jim
Ohaya wrote:
>
> David,
>
> Thank goodness you're still here!!
>
> I'll check on CAPIMON and with the registry thing you pointed to, but FYI,
> I'm starting to come to the conclusion that this (and another problem) are
> Win2K AS-related (vs. Win2K3). Let me try to explain...
>
> Late last year, when I first started testing, I started with a Win2K3
> installation. During that time, I began keeping a project notebook, where I
> commented on my test results (including a lot of the conversations I had
> here and on the inetserver.iis.security NG). According to my notes at that
> time, I confirmed that Win2K3/IIS6 did a couple of things (that were good,
> security-wise):
>
> - It obeyed the CRL validity period (Next Update date, etc.), and
> - If no CRL was in the ICA store (deleted from store using CertMgr.exe and
> confirmed using the MMC Certificates snap-in), IIS6 would not allow
> connections at all for the website.
>
> As I continued testing, I eventually got a Win2K AS CD from my company,
> since what we were actually going to stand up were Win2K AS machines.
>
> From my notes from that time, it appears that I did not go back and check
> those 2 behaviors that I mentioned above related to CRL processing.
>
> I really should have noticed at least the first problem, a LONG time ago,
> since the Next Update date on the test CRLs that I got was January 29, 2004,
> but very stupidly on my part, I didn't :(...
>
> In other words, we're using these same test CRLs in a couple of different
> test labs (all running Win2K Server or Advanced Server), and they're ALL
> still working, and I didn't even think about it. Darn!!!
>
> Just recently, I started putting together a "Lessons Learned" document for
> my company, and actually for our partner community, and in beginning to do
> that, I started going back through my notes and trying to reproduce the
> results that I had documented in my notes.
>
> And, that's when I started finding these differences/problems.
>
> I am going to have to try to recreate my earlier Win2K3 environment, but
> I've already created a clean install of Win2K AS (SP4), and with the Win2K
> AS, it is definitely working with the expired CRLs, and IIS5 definitely is
> not shutting down websites that are SSL (client) secured when I delete the
> CRL from the ICA store.
>
> Once I get some time to rebuild a Win2K3 environment, I'll try this again,
> but unless my (voluminous) notes are completely whacked, I think that I'm
> going to find that Win2K3 does obey the CRL expiration date and does lock
> down the SSL (client) secured websites when I delete the CRL from the ICA
> store.
>
> Our policy and standard maintenance practices do call for ensuring that the
> CRLs are both populated and updated, so hopefully this won't be a problem,
> but if things turn out the way I'm alluding to above, these 2 problems seem
> like a kind of major problem in Win2K AS/IIS5?
>
> Will post back, but probably not immediately...
>
> Jim
>
> "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> news:u18e3pAFEHA.3096@TK2MSFTNGP11.phx.gbl...
> > As an additional troubleshooting step, you can use CAPIMON to debug
> exactly
> > what IIS is doing and what information is being returned by CryptoAPI
> > through CAPIMON:
> >
> >
> http://www.microsoft.com/downloads/details.aspx?FamilyId=0BFE87A8-4E79-4441-9D4C-0CAB35D49A01&displaylang=en.
> >
> > --
> >
> >
> > David B. Cross [MS]
> >
> > --
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> > http://support.microsoft.com
> >
> > "Ohaya" <ohaya@N_O_S_P_A_M_cox.net> wrote in message
> > news:4064E434.1B258495@N_O_S_P_A_M_cox.net...
> > > Hi,
> > >
> > > I have a new/clean Win2K Advanced Server installation with IIS5. This
> > > machine is a standalone server, i.e., it is not a member of a domain,
> > > and I've updated Win2K through SP4.
> > >
> > > The IIS5 website is configured for SSL with client and server
> > > authentication, and that part is working. My server and client certs
> > > are issued by a 3rd party CA, and all the client certs do not have the
> > > CDP populated.
> > >
> > > For my testing earlier, my CA provided me with several test CRLs, along
> > > with associated client certs, and I've been using CertMgr.exe to import
> > > the test CRLs into the Intermediate Certification Authorities (ICA)
> > > store during my testing.
> > >
> > >
> > > However, today I noticed that the test CRLs all have a "Next Update"
> > > date of 1/29/04, and since today is 3/26/04, I can't understand how
> > > these CRLs could still be working. It seems like they should be
> > > considered invalid and that since IIS5 is calling CryptoAPI to do the
> > > CRL checking, that I should be getting some kind of error?
> > >
> > > I've checked the system date on the server, and it's definitely correct
> > > (today's date), so I'm really puzzled. I really have the impression
> > > that CryptoAPI (and thus IIS5) would throw some kind of error if the CRL
> > > was not within the validity period.
> > >
> > > Can someone explain why these out-of-validity-period CRLs still seem to
> > > work all right?
> > >
> > > Thanks,
> > > Jim
> >
> >
- Next message: bart_simpson104_at_hotmail.com: "HELP"
- Previous message: Egbert Nierop \(MVP for IIS\): "Re: Error ASP 0178 on Windows 2003 Server (IIS6) by Server.CreateObject on DCOM registred Component"
- In reply to: Ohaya: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Next in thread: Ohaya: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Reply: Ohaya: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Reply: David Cross [MS]: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
