Re: Problem with IIS5 - "expired" CRLs not working?

From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 03/31/04


Date: Wed, 31 Mar 2004 05:25:31 -0800

yes, you run CAPIMON on the server. You don't see your client cert being
checked on the server by IIS?

-- 
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
http://support.microsoft.com
"Ohaya" <ohaya@cox.net> wrote in message news:406A2419.7FB65A37@cox.net...
> Hi,
>
> Ok, I changed all the "ErrorAll" to "LogAll", and now the 1st 2 entries
> in the output are CertGetCertificate with "End Entity" being my server
> cert name.  Both of these have "Status" of "OK", with "Return" of
> "Success".  Then there are the alternating calls with other End Entity,
> etc., some of which have errors, and some of which succeed.
>
> I don't get any of the "Revocation" calls, either successful or failed.
>
> I'm not quite sure how much more info this gives?
>
> Jim
>
>
>
> Ohaya wrote:
> >
> > David,
> >
> > I think I've figured out basically how to use CAPIMON.
> >
> > With the default capimon_filter.inf, I did a connect from IE to IIS5
> > with a client certificate, but I am only getting a series of alternating
> > calls to CertGetCertificateChain and CertVerifyCertificateChainPolicy,
> > with the End Entity/Root Cert columns showing some of the built-in root
> > cert that come with Windows.  None of these have my root CA cert, and
> > none of the revocation-related calls are listed.
> >
> > I'm suppose to install CAPIMON on my IIS machine, right?  Not on the
> > client machine, right?
> >
> > CAPIMON seems to be a bit "picky".  After I do a "capimon -stop", seems
> > like I have to do a reboot before I do another "capimon -start".
> > Otherwise, capimon doesn't seem to record anything.
> >
> > Jim
> >
> > Ohaya wrote:
> > >
> > > David,
> > >
> > > I installed CAPIMON per your suggestion, last night, but I'm still
trying to
> > > figure out how to use it :).  It looks like it installs some kind of
"shim"
> > > in front of the CryptoAPI?  Sorry to ask, but what exactly do you
suggest I
> > > setup for the filters(?)?  I'm trudging my way through the docs...
> > >
> > > Jim
> > >
> > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> > > news:uOIs6xlFEHA.3252@TK2MSFTNGP11.phx.gbl...
> > > > I am not an expert on IIS, but I would need some more information to
help
> > > > you troubleshoot the issue.  Can you install CAPIMON and shim IIS5
and
> > > > determine what error (or status) is being returned by CryptoAPI to
IIS?
> > > > That will help us determine if:
> > > >
> > > > 1) CryptoAPI is returning the right status to IIS
> > > >
> > > > 2)  Is IIS determining the right action based on this status
> > > >
> > > >
> > > >
> > >
http://www.microsoft.com/downloads/details.aspx?FamilyId=0BFE87A8-4E79-4441-9D4C-0CAB35D49A01&displaylang=en.
> > > >
> > > > --
> > > >
> > > >
> > > > David B. Cross [MS]
> > > >
> > > > --
> > > > This posting is provided "AS IS" with no warranties, and confers no
> > > rights.
> > > >
> > > > http://support.microsoft.com
> > > >
> > > > "Ohaya" <Ohaya@NO_SPAM.cox.net> wrote in message
> > > > news:ep4er1bFEHA.2308@tk2msftngp13.phx.gbl...
> > > > > David,
> > > > >
> > > > > Just to be clear, with our config, with Win2K/IIS5, revocation
checking
> > > IS
> > > > > occurring.  I can revoke a cert, import the new CRL into the ICA,
and
> > > > voila,
> > > > > connecting using the revoked cert will fail with 403.13.
> > > > >
> > > > > Revocation checking, per se, is NOT the problem.
> > > > >
> > > > > The problem is that when the CRL in the ICA is expired, things
keep on
> > > > > working just as if the CRL was not expired.
> > > > >
> > > > > Jim
> > > > >
> > > > >
> > > > >
> > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> > > > > news:ePPgdUZFEHA.3096@TK2MSFTNGP11.phx.gbl...
> > > > > > This may be a nuance with IIS 5.0, but many applications treat
no CDP
> > > in
> > > > > > certs as an indicator that revocation does not need to be
checked.
> > > > > >
> > > > > > Windows Server 2003 CryptoAPI is a little smarter in that even
if the
> > > > > > application allows the "no check" status to be interpreted as
"OK",
> > > > > > CryptoAPI can return a "bad" status if it finds a CRL in the CA
store.
> > > > > >
> > > > > > As per your reply:
> > > > > >
> > > > > > (again my client certs don't have CDP populated).
> > > > > >
> > > > > > --
> > > > > >
> > > > > >
> > > > > > David B. Cross [MS]
> > > > > >
> > > > > > --
> > > > > > This posting is provided "AS IS" with no warranties, and confers
no
> > > > > rights.
> > > > > >
> > > > > > http://support.microsoft.com
> > > > > >
> > > > > > "Ohaya" <ohaya@cox.net> wrote in message
> > > > news:4065F9AB.8B3395C1@cox.net...
> > > > > > > Hi,
> > > > > > >
> > > > > > > I just got done installing Windows 2003 (took me 3 tries :(),
and
> > > > IIS6,
> > > > > > > and in this clean, "out-of-the-box" configuration, I tested,
and,
> > > > > > > indeed, it appears that:
> > > > > > >
> > > > > > > 1) Win2K3 *DOES* obey the validity period in the CRLs (whereas
> > > Windows
> > > > > > > 2000 AS apparently does not).
> > > > > > >
> > > > > > > 2) Win2K3 *DOES* lock down the website if NO CRL is in the ICA
store
> > > > > > > (again my client certs don't have CDP populated).
> > > > > > >
> > > > > > > As with the earlier clean-install Win2K AS, this Win2K3
install was
> > > as
> > > > a
> > > > > > > standalone server (no AD and no Certificate Services).
> > > > > > >
> > > > > > > Re. #2 above, I need to add that initially, obviously, there
was not
> > > a
> > > > > > > CRL stored in the ICA, and in this initial configuration, IIS6
did
> > > > allow
> > > > > > > connections.
> > > > > > >
> > > > > > > I then did testing using CertMgr to add a CRL (to test the
validity
> > > > > > > period checking), and after that, I deleted the CRL from the
ICA.
> > > > > > >
> > > > > > > After I deleted the CRL from the ICA, IIS6 would not allow
> > > > connections.
> > > > > > >
> > > > > > > Jim
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Ohaya wrote:
> > > > > > > >
> > > > > > > > David,
> > > > > > > >
> > > > > > > > Thank goodness you're still here!!
> > > > > > > >
> > > > > > > > I'll check on CAPIMON and with the registry thing you
pointed to,
> > > > but
> > > > > > FYI,
> > > > > > > > I'm starting to come to the conclusion that this (and
another
> > > > problem)
> > > > > > are
> > > > > > > > Win2K AS-related (vs. Win2K3).  Let me try to explain...
> > > > > > > >
> > > > > > > > Late last year, when I first started testing, I started with
a
> > > > Win2K3
> > > > > > > > installation.  During that time, I began keeping a project
> > > notebook,
> > > > > > where I
> > > > > > > > commented on my test results (including a lot of the
conversations
> > > I
> > > > > had
> > > > > > > > here and on the inetserver.iis.security NG).  According to
my
> > > notes
> > > > at
> > > > > > that
> > > > > > > > time, I confirmed that Win2K3/IIS6 did a couple of things
(that
> > > were
> > > > > > good,
> > > > > > > > security-wise):
> > > > > > > >
> > > > > > > > - It obeyed the CRL validity period (Next Update date,
etc.), and
> > > > > > > > - If no CRL was in the ICA store (deleted from store using
> > > > CertMgr.exe
> > > > > > and
> > > > > > > > confirmed using the MMC Certificates snap-in), IIS6 would
not
> > > allow
> > > > > > > > connections at all for the website.
> > > > > > > >
> > > > > > > > As I continued testing, I eventually got a Win2K AS CD from
my
> > > > > company,
> > > > > > > > since what we were actually going to stand up were Win2K AS
> > > > machines.
> > > > > > > >
> > > > > > > > From my notes from that time, it appears that I did not go
back
> > > and
> > > > > > check
> > > > > > > > those 2 behaviors that I mentioned above related to CRL
> > > processing.
> > > > > > > >
> > > > > > > > I really should have noticed at least the first problem, a
LONG
> > > time
> > > > > > ago,
> > > > > > > > since the Next Update date on the test CRLs that I got was
January
> > > > 29,
> > > > > > 2004,
> > > > > > > > but very stupidly on my part, I didn't :(...
> > > > > > > >
> > > > > > > > In other words, we're using these same test CRLs in a couple
of
> > > > > > different
> > > > > > > > test labs (all running Win2K Server or Advanced Server), and
> > > they're
> > > > > ALL
> > > > > > > > still working, and I didn't even think about it.  Darn!!!
> > > > > > > >
> > > > > > > > Just recently, I started putting together a "Lessons
Learned"
> > > > document
> > > > > > for
> > > > > > > > my company, and actually for our partner community, and in
> > > beginning
> > > > > to
> > > > > > do
> > > > > > > > that, I started going back through my notes and trying to
> > > reproduce
> > > > > the
> > > > > > > > results that I had documented in my notes.
> > > > > > > >
> > > > > > > > And, that's when I started finding these
differences/problems.
> > > > > > > >
> > > > > > > > I am going to have to try to recreate my earlier Win2K3
> > > environment,
> > > > > but
> > > > > > > > I've already created a clean install of Win2K AS (SP4), and
with
> > > the
> > > > > > Win2K
> > > > > > > > AS, it is definitely working with the expired CRLs, and IIS5
> > > > > definitely
> > > > > > is
> > > > > > > > not shutting down websites that are SSL (client) secured
when I
> > > > delete
> > > > > > the
> > > > > > > > CRL from the ICA store.
> > > > > > > >
> > > > > > > > Once I get some time to rebuild a Win2K3 environment, I'll
try
> > > this
> > > > > > again,
> > > > > > > > but unless my (voluminous) notes are completely whacked, I
think
> > > > that
> > > > > > I'm
> > > > > > > > going to find that Win2K3 does obey the CRL expiration date
and
> > > does
> > > > > > lock
> > > > > > > > down the SSL (client) secured websites when I delete the CRL
from
> > > > the
> > > > > > ICA
> > > > > > > > store.
> > > > > > > >
> > > > > > > > Our policy and standard maintenance practices do call for
ensuring
> > > > > that
> > > > > > the
> > > > > > > > CRLs are both populated and updated, so hopefully this won't
be a
> > > > > > problem,
> > > > > > > > but if things turn out the way I'm alluding to above, these
2
> > > > problems
> > > > > > seem
> > > > > > > > like a kind of major problem in Win2K AS/IIS5?
> > > > > > > >
> > > > > > > > Will post back, but probably not immediately...
> > > > > > > >
> > > > > > > > Jim
> > > > > > > >
> > > > > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in
message
> > > > > > > > news:u18e3pAFEHA.3096@TK2MSFTNGP11.phx.gbl...
> > > > > > > > > As an additional troubleshooting step, you can use CAPIMON
to
> > > > debug
> > > > > > > > exactly
> > > > > > > > > what IIS is doing and what information is being returned
by
> > > > > CryptoAPI
> > > > > > > > > through CAPIMON:
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > >
> > > > >
> > > >
> > >
http://www.microsoft.com/downloads/details.aspx?FamilyId=0BFE87A8-4E79-4441-9D4C-0CAB35D49A01&displaylang=en.
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > David B. Cross [MS]
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > This posting is provided "AS IS" with no warranties, and
confers
> > > > no
> > > > > > > > rights.
> > > > > > > > >
> > > > > > > > > http://support.microsoft.com
> > > > > > > > >
> > > > > > > > > "Ohaya" <ohaya@N_O_S_P_A_M_cox.net> wrote in message
> > > > > > > > > news:4064E434.1B258495@N_O_S_P_A_M_cox.net...
> > > > > > > > > > Hi,
> > > > > > > > > >
> > > > > > > > > > I have a new/clean Win2K Advanced Server installation
with
> > > IIS5.
> > > > > > This
> > > > > > > > > > machine is a standalone server, i.e., it is not a member
of a
> > > > > > domain,
> > > > > > > > > > and I've updated Win2K through SP4.
> > > > > > > > > >
> > > > > > > > > > The IIS5 website is configured for SSL with client and
server
> > > > > > > > > > authentication, and that part is working.  My server and
> > > client
> > > > > > certs
> > > > > > > > > > are issued by a 3rd party CA, and all the client certs
do not
> > > > have
> > > > > > the
> > > > > > > > > > CDP populated.
> > > > > > > > > >
> > > > > > > > > > For my testing earlier, my CA provided me with several
test
> > > > CRLs,
> > > > > > along
> > > > > > > > > > with associated client certs, and I've been using
CertMgr.exe
> > > to
> > > > > > import
> > > > > > > > > > the test CRLs into the Intermediate Certification
Authorities
> > > > > (ICA)
> > > > > > > > > > store during my testing.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > However, today I noticed that the test CRLs all have a
"Next
> > > > > Update"
> > > > > > > > > > date of 1/29/04, and since today is 3/26/04, I can't
> > > understand
> > > > > how
> > > > > > > > > > these CRLs could still be working.  It seems like they
should
> > > be
> > > > > > > > > > considered invalid and that since IIS5 is calling
CryptoAPI to
> > > > do
> > > > > > the
> > > > > > > > > > CRL checking, that I should be getting some kind of
error?
> > > > > > > > > >
> > > > > > > > > > I've checked the system date on the server, and it's
> > > definitely
> > > > > > correct
> > > > > > > > > > (today's date), so I'm really puzzled.  I really have
the
> > > > > impression
> > > > > > > > > > that CryptoAPI (and thus IIS5) would throw some kind of
error
> > > if
> > > > > the
> > > > > > CRL
> > > > > > > > > > was not within the validity period.
> > > > > > > > > >
> > > > > > > > > > Can someone explain why these out-of-validity-period
CRLs
> > > still
> > > > > seem
> > > > > > to
> > > > > > > > > > work all right?
> > > > > > > > > >
> > > > > > > > > > Thanks,
> > > > > > > > > > Jim
> > > > > > > > >
> > > > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >