Re: Problem with IIS5 - "expired" CRLs not working?
From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 03/30/04
- Next message: David Cross [MS]: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Previous message: David Cross [MS]: "Re: How to use ICEnroll4::addExtensionToRequest"
- In reply to: Ohaya: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Next in thread: Ohaya: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Reply: Ohaya: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Mar 2004 05:39:33 -0800
I am not an expert on IIS, but I would need some more information to help
you troubleshoot the issue. Can you install CAPIMON and shim IIS5 and
determine what error (or status) is being returned by CryptoAPI to IIS?
That will help us determine if:
1) CryptoAPI is returning the right status to IIS
2) Is IIS determining the right action based on this status
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. http://support.microsoft.com "Ohaya" <Ohaya@NO_SPAM.cox.net> wrote in message news:ep4er1bFEHA.2308@tk2msftngp13.phx.gbl... > David, > > Just to be clear, with our config, with Win2K/IIS5, revocation checking IS > occurring. I can revoke a cert, import the new CRL into the ICA, and voila, > connecting using the revoked cert will fail with 403.13. > > Revocation checking, per se, is NOT the problem. > > The problem is that when the CRL in the ICA is expired, things keep on > working just as if the CRL was not expired. > > Jim > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message > news:ePPgdUZFEHA.3096@TK2MSFTNGP11.phx.gbl... > > This may be a nuance with IIS 5.0, but many applications treat no CDP in > > certs as an indicator that revocation does not need to be checked. > > > > Windows Server 2003 CryptoAPI is a little smarter in that even if the > > application allows the "no check" status to be interpreted as "OK", > > CryptoAPI can return a "bad" status if it finds a CRL in the CA store. > > > > As per your reply: > > > > (again my client certs don't have CDP populated). > > > > -- > > > > > > David B. Cross [MS] > > > > -- > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > > > http://support.microsoft.com > > > > "Ohaya" <ohaya@cox.net> wrote in message news:4065F9AB.8B3395C1@cox.net... > > > Hi, > > > > > > I just got done installing Windows 2003 (took me 3 tries :(), and IIS6, > > > and in this clean, "out-of-the-box" configuration, I tested, and, > > > indeed, it appears that: > > > > > > 1) Win2K3 *DOES* obey the validity period in the CRLs (whereas Windows > > > 2000 AS apparently does not). > > > > > > 2) Win2K3 *DOES* lock down the website if NO CRL is in the ICA store > > > (again my client certs don't have CDP populated). > > > > > > As with the earlier clean-install Win2K AS, this Win2K3 install was as a > > > standalone server (no AD and no Certificate Services). > > > > > > Re. #2 above, I need to add that initially, obviously, there was not a > > > CRL stored in the ICA, and in this initial configuration, IIS6 did allow > > > connections. > > > > > > I then did testing using CertMgr to add a CRL (to test the validity > > > period checking), and after that, I deleted the CRL from the ICA. > > > > > > After I deleted the CRL from the ICA, IIS6 would not allow connections. > > > > > > Jim > > > > > > > > > > > > Ohaya wrote: > > > > > > > > David, > > > > > > > > Thank goodness you're still here!! > > > > > > > > I'll check on CAPIMON and with the registry thing you pointed to, but > > FYI, > > > > I'm starting to come to the conclusion that this (and another problem) > > are > > > > Win2K AS-related (vs. Win2K3). Let me try to explain... > > > > > > > > Late last year, when I first started testing, I started with a Win2K3 > > > > installation. During that time, I began keeping a project notebook, > > where I > > > > commented on my test results (including a lot of the conversations I > had > > > > here and on the inetserver.iis.security NG). According to my notes at > > that > > > > time, I confirmed that Win2K3/IIS6 did a couple of things (that were > > good, > > > > security-wise): > > > > > > > > - It obeyed the CRL validity period (Next Update date, etc.), and > > > > - If no CRL was in the ICA store (deleted from store using CertMgr.exe > > and > > > > confirmed using the MMC Certificates snap-in), IIS6 would not allow > > > > connections at all for the website. > > > > > > > > As I continued testing, I eventually got a Win2K AS CD from my > company, > > > > since what we were actually going to stand up were Win2K AS machines. > > > > > > > > From my notes from that time, it appears that I did not go back and > > check > > > > those 2 behaviors that I mentioned above related to CRL processing. > > > > > > > > I really should have noticed at least the first problem, a LONG time > > ago, > > > > since the Next Update date on the test CRLs that I got was January 29, > > 2004, > > > > but very stupidly on my part, I didn't :(... > > > > > > > > In other words, we're using these same test CRLs in a couple of > > different > > > > test labs (all running Win2K Server or Advanced Server), and they're > ALL > > > > still working, and I didn't even think about it. Darn!!! > > > > > > > > Just recently, I started putting together a "Lessons Learned" document > > for > > > > my company, and actually for our partner community, and in beginning > to > > do > > > > that, I started going back through my notes and trying to reproduce > the > > > > results that I had documented in my notes. > > > > > > > > And, that's when I started finding these differences/problems. > > > > > > > > I am going to have to try to recreate my earlier Win2K3 environment, > but > > > > I've already created a clean install of Win2K AS (SP4), and with the > > Win2K > > > > AS, it is definitely working with the expired CRLs, and IIS5 > definitely > > is > > > > not shutting down websites that are SSL (client) secured when I delete > > the > > > > CRL from the ICA store. > > > > > > > > Once I get some time to rebuild a Win2K3 environment, I'll try this > > again, > > > > but unless my (voluminous) notes are completely whacked, I think that > > I'm > > > > going to find that Win2K3 does obey the CRL expiration date and does > > lock > > > > down the SSL (client) secured websites when I delete the CRL from the > > ICA > > > > store. > > > > > > > > Our policy and standard maintenance practices do call for ensuring > that > > the > > > > CRLs are both populated and updated, so hopefully this won't be a > > problem, > > > > but if things turn out the way I'm alluding to above, these 2 problems > > seem > > > > like a kind of major problem in Win2K AS/IIS5? > > > > > > > > Will post back, but probably not immediately... > > > > > > > > Jim > > > > > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message > > > > news:u18e3pAFEHA.3096@TK2MSFTNGP11.phx.gbl... > > > > > As an additional troubleshooting step, you can use CAPIMON to debug > > > > exactly > > > > > what IIS is doing and what information is being returned by > CryptoAPI > > > > > through CAPIMON: > > > > > > > > > > > > > > > > > http://www.microsoft.com/downloads/details.aspx?FamilyId=0BFE87A8-4E79-4441-9D4C-0CAB35D49A01&displaylang=en. > > > > > > > > > > -- > > > > > > > > > > > > > > > David B. Cross [MS] > > > > > > > > > > -- > > > > > This posting is provided "AS IS" with no warranties, and confers no > > > > rights. > > > > > > > > > > http://support.microsoft.com > > > > > > > > > > "Ohaya" <ohaya@N_O_S_P_A_M_cox.net> wrote in message > > > > > news:4064E434.1B258495@N_O_S_P_A_M_cox.net... > > > > > > Hi, > > > > > > > > > > > > I have a new/clean Win2K Advanced Server installation with IIS5. > > This > > > > > > machine is a standalone server, i.e., it is not a member of a > > domain, > > > > > > and I've updated Win2K through SP4. > > > > > > > > > > > > The IIS5 website is configured for SSL with client and server > > > > > > authentication, and that part is working. My server and client > > certs > > > > > > are issued by a 3rd party CA, and all the client certs do not have > > the > > > > > > CDP populated. > > > > > > > > > > > > For my testing earlier, my CA provided me with several test CRLs, > > along > > > > > > with associated client certs, and I've been using CertMgr.exe to > > import > > > > > > the test CRLs into the Intermediate Certification Authorities > (ICA) > > > > > > store during my testing. > > > > > > > > > > > > > > > > > > However, today I noticed that the test CRLs all have a "Next > Update" > > > > > > date of 1/29/04, and since today is 3/26/04, I can't understand > how > > > > > > these CRLs could still be working. It seems like they should be > > > > > > considered invalid and that since IIS5 is calling CryptoAPI to do > > the > > > > > > CRL checking, that I should be getting some kind of error? > > > > > > > > > > > > I've checked the system date on the server, and it's definitely > > correct > > > > > > (today's date), so I'm really puzzled. I really have the > impression > > > > > > that CryptoAPI (and thus IIS5) would throw some kind of error if > the > > CRL > > > > > > was not within the validity period. > > > > > > > > > > > > Can someone explain why these out-of-validity-period CRLs still > seem > > to > > > > > > work all right? > > > > > > > > > > > > Thanks, > > > > > > Jim > > > > > > > > > > > > > > > >
- Next message: David Cross [MS]: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Previous message: David Cross [MS]: "Re: How to use ICEnroll4::addExtensionToRequest"
- In reply to: Ohaya: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Next in thread: Ohaya: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Reply: Ohaya: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
