Re: Problem with IIS5 - "expired" CRLs not working?

From: Ohaya (Ohaya_at_NO_SPAM.cox.net)
Date: 03/27/04


Date: Sat, 27 Mar 2004 10:43:18 -0500

David,

Thank goodness you're still here!!

I'll check on CAPIMON and with the registry thing you pointed to, but FYI,
I'm starting to come to the conclusion that this (and another problem) are
Win2K AS-related (vs. Win2K3). Let me try to explain...

Late last year, when I first started testing, I started with a Win2K3
installation. During that time, I began keeping a project notebook, where I
commented on my test results (including a lot of the conversations I had
here and on the inetserver.iis.security NG). According to my notes at that
time, I confirmed that Win2K3/IIS6 did a couple of things (that were good,
security-wise):

- It obeyed the CRL validity period (Next Update date, etc.), and
- If no CRL was in the ICA store (deleted from store using CertMgr.exe and
confirmed using the MMC Certificates snap-in), IIS6 would not allow
connections at all for the website.

As I continued testing, I eventually got a Win2K AS CD from my company,
since what we were actually going to stand up were Win2K AS machines.

>From my notes from that time, it appears that I did not go back and check
those 2 behaviors that I mentioned above related to CRL processing.

I really should have noticed at least the first problem, a LONG time ago,
since the Next Update date on the test CRLs that I got was January 29, 2004,
but very stupidly on my part, I didn't :(...

In other words, we're using these same test CRLs in a couple of different
test labs (all running Win2K Server or Advanced Server), and they're ALL
still working, and I didn't even think about it. Darn!!!

Just recently, I started putting together a "Lessons Learned" document for
my company, and actually for our partner community, and in beginning to do
that, I started going back through my notes and trying to reproduce the
results that I had documented in my notes.

And, that's when I started finding these differences/problems.

I am going to have to try to recreate my earlier Win2K3 environment, but
I've already created a clean install of Win2K AS (SP4), and with the Win2K
AS, it is definitely working with the expired CRLs, and IIS5 definitely is
not shutting down websites that are SSL (client) secured when I delete the
CRL from the ICA store.

Once I get some time to rebuild a Win2K3 environment, I'll try this again,
but unless my (voluminous) notes are completely whacked, I think that I'm
going to find that Win2K3 does obey the CRL expiration date and does lock
down the SSL (client) secured websites when I delete the CRL from the ICA
store.

Our policy and standard maintenance practices do call for ensuring that the
CRLs are both populated and updated, so hopefully this won't be a problem,
but if things turn out the way I'm alluding to above, these 2 problems seem
like a kind of major problem in Win2K AS/IIS5?

Will post back, but probably not immediately...

Jim

"David Cross [MS]" <dcross@online.microsoft.com> wrote in message
news:u18e3pAFEHA.3096@TK2MSFTNGP11.phx.gbl...
> As an additional troubleshooting step, you can use CAPIMON to debug
exactly
> what IIS is doing and what information is being returned by CryptoAPI
> through CAPIMON:
>
>
http://www.microsoft.com/downloads/details.aspx?FamilyId=0BFE87A8-4E79-4441-9D4C-0CAB35D49A01&displaylang=en.
>
> --
>
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> http://support.microsoft.com
>
> "Ohaya" <ohaya@N_O_S_P_A_M_cox.net> wrote in message
> news:4064E434.1B258495@N_O_S_P_A_M_cox.net...
> > Hi,
> >
> > I have a new/clean Win2K Advanced Server installation with IIS5. This
> > machine is a standalone server, i.e., it is not a member of a domain,
> > and I've updated Win2K through SP4.
> >
> > The IIS5 website is configured for SSL with client and server
> > authentication, and that part is working. My server and client certs
> > are issued by a 3rd party CA, and all the client certs do not have the
> > CDP populated.
> >
> > For my testing earlier, my CA provided me with several test CRLs, along
> > with associated client certs, and I've been using CertMgr.exe to import
> > the test CRLs into the Intermediate Certification Authorities (ICA)
> > store during my testing.
> >
> >
> > However, today I noticed that the test CRLs all have a "Next Update"
> > date of 1/29/04, and since today is 3/26/04, I can't understand how
> > these CRLs could still be working. It seems like they should be
> > considered invalid and that since IIS5 is calling CryptoAPI to do the
> > CRL checking, that I should be getting some kind of error?
> >
> > I've checked the system date on the server, and it's definitely correct
> > (today's date), so I'm really puzzled. I really have the impression
> > that CryptoAPI (and thus IIS5) would throw some kind of error if the CRL
> > was not within the validity period.
> >
> > Can someone explain why these out-of-validity-period CRLs still seem to
> > work all right?
> >
> > Thanks,
> > Jim
>
>