Re: Problem with IIS5 - "expired" CRLs not working?
From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 03/31/04
- Next message: Denis: "Re: Secure Storage"
- Previous message: David Cross [MS]: "Re: CertGetCertificateChain"
- In reply to: Ohaya: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Next in thread: Ohaya: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Reply: Ohaya: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 31 Mar 2004 05:25:31 -0800
yes, you run CAPIMON on the server. You don't see your client cert being
checked on the server by IIS?
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. http://support.microsoft.com "Ohaya" <ohaya@cox.net> wrote in message news:406A2419.7FB65A37@cox.net... > Hi, > > Ok, I changed all the "ErrorAll" to "LogAll", and now the 1st 2 entries > in the output are CertGetCertificate with "End Entity" being my server > cert name. Both of these have "Status" of "OK", with "Return" of > "Success". Then there are the alternating calls with other End Entity, > etc., some of which have errors, and some of which succeed. > > I don't get any of the "Revocation" calls, either successful or failed. > > I'm not quite sure how much more info this gives? > > Jim > > > > Ohaya wrote: > > > > David, > > > > I think I've figured out basically how to use CAPIMON. > > > > With the default capimon_filter.inf, I did a connect from IE to IIS5 > > with a client certificate, but I am only getting a series of alternating > > calls to CertGetCertificateChain and CertVerifyCertificateChainPolicy, > > with the End Entity/Root Cert columns showing some of the built-in root > > cert that come with Windows. None of these have my root CA cert, and > > none of the revocation-related calls are listed. > > > > I'm suppose to install CAPIMON on my IIS machine, right? Not on the > > client machine, right? > > > > CAPIMON seems to be a bit "picky". After I do a "capimon -stop", seems > > like I have to do a reboot before I do another "capimon -start". > > Otherwise, capimon doesn't seem to record anything. > > > > Jim > > > > Ohaya wrote: > > > > > > David, > > > > > > I installed CAPIMON per your suggestion, last night, but I'm still trying to > > > figure out how to use it :). It looks like it installs some kind of "shim" > > > in front of the CryptoAPI? Sorry to ask, but what exactly do you suggest I > > > setup for the filters(?)? I'm trudging my way through the docs... > > > > > > Jim > > > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message > > > news:uOIs6xlFEHA.3252@TK2MSFTNGP11.phx.gbl... > > > > I am not an expert on IIS, but I would need some more information to help > > > > you troubleshoot the issue. Can you install CAPIMON and shim IIS5 and > > > > determine what error (or status) is being returned by CryptoAPI to IIS? > > > > That will help us determine if: > > > > > > > > 1) CryptoAPI is returning the right status to IIS > > > > > > > > 2) Is IIS determining the right action based on this status > > > > > > > > > > > > > > > http://www.microsoft.com/downloads/details.aspx?FamilyId=0BFE87A8-4E79-4441-9D4C-0CAB35D49A01&displaylang=en. > > > > > > > > -- > > > > > > > > > > > > David B. Cross [MS] > > > > > > > > -- > > > > This posting is provided "AS IS" with no warranties, and confers no > > > rights. > > > > > > > > http://support.microsoft.com > > > > > > > > "Ohaya" <Ohaya@NO_SPAM.cox.net> wrote in message > > > > news:ep4er1bFEHA.2308@tk2msftngp13.phx.gbl... > > > > > David, > > > > > > > > > > Just to be clear, with our config, with Win2K/IIS5, revocation checking > > > IS > > > > > occurring. I can revoke a cert, import the new CRL into the ICA, and > > > > voila, > > > > > connecting using the revoked cert will fail with 403.13. > > > > > > > > > > Revocation checking, per se, is NOT the problem. > > > > > > > > > > The problem is that when the CRL in the ICA is expired, things keep on > > > > > working just as if the CRL was not expired. > > > > > > > > > > Jim > > > > > > > > > > > > > > > > > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message > > > > > news:ePPgdUZFEHA.3096@TK2MSFTNGP11.phx.gbl... > > > > > > This may be a nuance with IIS 5.0, but many applications treat no CDP > > > in > > > > > > certs as an indicator that revocation does not need to be checked. > > > > > > > > > > > > Windows Server 2003 CryptoAPI is a little smarter in that even if the > > > > > > application allows the "no check" status to be interpreted as "OK", > > > > > > CryptoAPI can return a "bad" status if it finds a CRL in the CA store. > > > > > > > > > > > > As per your reply: > > > > > > > > > > > > (again my client certs don't have CDP populated). > > > > > > > > > > > > -- > > > > > > > > > > > > > > > > > > David B. Cross [MS] > > > > > > > > > > > > -- > > > > > > This posting is provided "AS IS" with no warranties, and confers no > > > > > rights. > > > > > > > > > > > > http://support.microsoft.com > > > > > > > > > > > > "Ohaya" <ohaya@cox.net> wrote in message > > > > news:4065F9AB.8B3395C1@cox.net... > > > > > > > Hi, > > > > > > > > > > > > > > I just got done installing Windows 2003 (took me 3 tries :(), and > > > > IIS6, > > > > > > > and in this clean, "out-of-the-box" configuration, I tested, and, > > > > > > > indeed, it appears that: > > > > > > > > > > > > > > 1) Win2K3 *DOES* obey the validity period in the CRLs (whereas > > > Windows > > > > > > > 2000 AS apparently does not). > > > > > > > > > > > > > > 2) Win2K3 *DOES* lock down the website if NO CRL is in the ICA store > > > > > > > (again my client certs don't have CDP populated). > > > > > > > > > > > > > > As with the earlier clean-install Win2K AS, this Win2K3 install was > > > as > > > > a > > > > > > > standalone server (no AD and no Certificate Services). > > > > > > > > > > > > > > Re. #2 above, I need to add that initially, obviously, there was not > > > a > > > > > > > CRL stored in the ICA, and in this initial configuration, IIS6 did > > > > allow > > > > > > > connections. > > > > > > > > > > > > > > I then did testing using CertMgr to add a CRL (to test the validity > > > > > > > period checking), and after that, I deleted the CRL from the ICA. > > > > > > > > > > > > > > After I deleted the CRL from the ICA, IIS6 would not allow > > > > connections. > > > > > > > > > > > > > > Jim > > > > > > > > > > > > > > > > > > > > > > > > > > > > Ohaya wrote: > > > > > > > > > > > > > > > > David, > > > > > > > > > > > > > > > > Thank goodness you're still here!! > > > > > > > > > > > > > > > > I'll check on CAPIMON and with the registry thing you pointed to, > > > > but > > > > > > FYI, > > > > > > > > I'm starting to come to the conclusion that this (and another > > > > problem) > > > > > > are > > > > > > > > Win2K AS-related (vs. Win2K3). Let me try to explain... > > > > > > > > > > > > > > > > Late last year, when I first started testing, I started with a > > > > Win2K3 > > > > > > > > installation. During that time, I began keeping a project > > > notebook, > > > > > > where I > > > > > > > > commented on my test results (including a lot of the conversations > > > I > > > > > had > > > > > > > > here and on the inetserver.iis.security NG). According to my > > > notes > > > > at > > > > > > that > > > > > > > > time, I confirmed that Win2K3/IIS6 did a couple of things (that > > > were > > > > > > good, > > > > > > > > security-wise): > > > > > > > > > > > > > > > > - It obeyed the CRL validity period (Next Update date, etc.), and > > > > > > > > - If no CRL was in the ICA store (deleted from store using > > > > CertMgr.exe > > > > > > and > > > > > > > > confirmed using the MMC Certificates snap-in), IIS6 would not > > > allow > > > > > > > > connections at all for the website. > > > > > > > > > > > > > > > > As I continued testing, I eventually got a Win2K AS CD from my > > > > > company, > > > > > > > > since what we were actually going to stand up were Win2K AS > > > > machines. > > > > > > > > > > > > > > > > From my notes from that time, it appears that I did not go back > > > and > > > > > > check > > > > > > > > those 2 behaviors that I mentioned above related to CRL > > > processing. > > > > > > > > > > > > > > > > I really should have noticed at least the first problem, a LONG > > > time > > > > > > ago, > > > > > > > > since the Next Update date on the test CRLs that I got was January > > > > 29, > > > > > > 2004, > > > > > > > > but very stupidly on my part, I didn't :(... > > > > > > > > > > > > > > > > In other words, we're using these same test CRLs in a couple of > > > > > > different > > > > > > > > test labs (all running Win2K Server or Advanced Server), and > > > they're > > > > > ALL > > > > > > > > still working, and I didn't even think about it. Darn!!! > > > > > > > > > > > > > > > > Just recently, I started putting together a "Lessons Learned" > > > > document > > > > > > for > > > > > > > > my company, and actually for our partner community, and in > > > beginning > > > > > to > > > > > > do > > > > > > > > that, I started going back through my notes and trying to > > > reproduce > > > > > the > > > > > > > > results that I had documented in my notes. > > > > > > > > > > > > > > > > And, that's when I started finding these differences/problems. > > > > > > > > > > > > > > > > I am going to have to try to recreate my earlier Win2K3 > > > environment, > > > > > but > > > > > > > > I've already created a clean install of Win2K AS (SP4), and with > > > the > > > > > > Win2K > > > > > > > > AS, it is definitely working with the expired CRLs, and IIS5 > > > > > definitely > > > > > > is > > > > > > > > not shutting down websites that are SSL (client) secured when I > > > > delete > > > > > > the > > > > > > > > CRL from the ICA store. > > > > > > > > > > > > > > > > Once I get some time to rebuild a Win2K3 environment, I'll try > > > this > > > > > > again, > > > > > > > > but unless my (voluminous) notes are completely whacked, I think > > > > that > > > > > > I'm > > > > > > > > going to find that Win2K3 does obey the CRL expiration date and > > > does > > > > > > lock > > > > > > > > down the SSL (client) secured websites when I delete the CRL from > > > > the > > > > > > ICA > > > > > > > > store. > > > > > > > > > > > > > > > > Our policy and standard maintenance practices do call for ensuring > > > > > that > > > > > > the > > > > > > > > CRLs are both populated and updated, so hopefully this won't be a > > > > > > problem, > > > > > > > > but if things turn out the way I'm alluding to above, these 2 > > > > problems > > > > > > seem > > > > > > > > like a kind of major problem in Win2K AS/IIS5? > > > > > > > > > > > > > > > > Will post back, but probably not immediately... > > > > > > > > > > > > > > > > Jim > > > > > > > > > > > > > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message > > > > > > > > news:u18e3pAFEHA.3096@TK2MSFTNGP11.phx.gbl... > > > > > > > > > As an additional troubleshooting step, you can use CAPIMON to > > > > debug > > > > > > > > exactly > > > > > > > > > what IIS is doing and what information is being returned by > > > > > CryptoAPI > > > > > > > > > through CAPIMON: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://www.microsoft.com/downloads/details.aspx?FamilyId=0BFE87A8-4E79-4441-9D4C-0CAB35D49A01&displaylang=en. > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > > > > > > > > > > > > > > David B. Cross [MS] > > > > > > > > > > > > > > > > > > -- > > > > > > > > > This posting is provided "AS IS" with no warranties, and confers > > > > no > > > > > > > > rights. > > > > > > > > > > > > > > > > > > http://support.microsoft.com > > > > > > > > > > > > > > > > > > "Ohaya" <ohaya@N_O_S_P_A_M_cox.net> wrote in message > > > > > > > > > news:4064E434.1B258495@N_O_S_P_A_M_cox.net... > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > > > I have a new/clean Win2K Advanced Server installation with > > > IIS5. > > > > > > This > > > > > > > > > > machine is a standalone server, i.e., it is not a member of a > > > > > > domain, > > > > > > > > > > and I've updated Win2K through SP4. > > > > > > > > > > > > > > > > > > > > The IIS5 website is configured for SSL with client and server > > > > > > > > > > authentication, and that part is working. My server and > > > client > > > > > > certs > > > > > > > > > > are issued by a 3rd party CA, and all the client certs do not > > > > have > > > > > > the > > > > > > > > > > CDP populated. > > > > > > > > > > > > > > > > > > > > For my testing earlier, my CA provided me with several test > > > > CRLs, > > > > > > along > > > > > > > > > > with associated client certs, and I've been using CertMgr.exe > > > to > > > > > > import > > > > > > > > > > the test CRLs into the Intermediate Certification Authorities > > > > > (ICA) > > > > > > > > > > store during my testing. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > However, today I noticed that the test CRLs all have a "Next > > > > > Update" > > > > > > > > > > date of 1/29/04, and since today is 3/26/04, I can't > > > understand > > > > > how > > > > > > > > > > these CRLs could still be working. It seems like they should > > > be > > > > > > > > > > considered invalid and that since IIS5 is calling CryptoAPI to > > > > do > > > > > > the > > > > > > > > > > CRL checking, that I should be getting some kind of error? > > > > > > > > > > > > > > > > > > > > I've checked the system date on the server, and it's > > > definitely > > > > > > correct > > > > > > > > > > (today's date), so I'm really puzzled. I really have the > > > > > impression > > > > > > > > > > that CryptoAPI (and thus IIS5) would throw some kind of error > > > if > > > > > the > > > > > > CRL > > > > > > > > > > was not within the validity period. > > > > > > > > > > > > > > > > > > > > Can someone explain why these out-of-validity-period CRLs > > > still > > > > > seem > > > > > > to > > > > > > > > > > work all right? > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > Jim > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
- Next message: Denis: "Re: Secure Storage"
- Previous message: David Cross [MS]: "Re: CertGetCertificateChain"
- In reply to: Ohaya: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Next in thread: Ohaya: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Reply: Ohaya: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
