Re: Problem with IIS5 - "expired" CRLs not working?

From: Ohaya (Ohaya_at_NO_SPAM.cox.net)
Date: 03/31/04


Date: Wed, 31 Mar 2004 11:20:03 -0500

Hi,

Theory (in lieu of being able to find any information on the
CERT_CHAIN_POLICY... flags):

If I'm understanding things, CAPIMON shows the calls to CryptoAPI, including
calls from IIS5 itself, and parameters in such calls.

If I'm interpreting things correctly from the CAPIMONUI output, something
(presumably IIS5) is calling CertVerifyCertificateChainPolicy() with flags
that tell CertVerifyCertificateChainPolicy() not to pay attention to the
time validity of what it's checking, i.e., "Don't worry whether or not any
of the things you're checking are within their validity period".

Is this possible?

If so, this might seem to explain why IIS5 appears to be ignoring the
validity period of the CRLs?

Jim

"Ohaya" <ohaya@cox.net> wrote in message news:406AE6FA.EE63FFD6@cox.net...
> David,
>
> Ok, sorry, I missed this.
>
> During a connect with a good client cert, I am getting 4 lines with my
> root CA name in the "End Entity".
>
> These 4 lines come in pairs, with the call to CertGetCertificateChain
> first, then a call to CertVerifyCertificateChainPolicy immediately after
> that. All 4 calls have Status "OK".
>
> I don't know what this means, but I noticed that in the calls to
> CertVerifyCertificateChainPolicy, it's showing at the bottom:
>
> Policy Para:
> Flags: 0x00000007
> CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG (0x00000001)
> CERT_CHAIN_POLICY_IGNORE.... (0x00000002)
> CERT_CHAIN_................. (0x00000004)
>
> What are these? I'm wondering about the "IGNORE_NOT_TIME_VALID" part?
> Is this saying that CryptoAPI shouldn't check for time validity maybe?
>
> Could this be why IIS5 is not considering the client certs revoked when
> the CRL is expired?
>
> Jim
>
>
>
> Ohaya wrote:
> >
> > David,
> >
> > I guess the problem might be that I don't know precisely how to
interpret
> > the CAPIMONUI display, but the only rows that I see that show an "End
> > Entity" with my host server cert or my root CA cert name are 2 entries
at
> > the very beginning of the CAPIMONUI display, for calls to
> > CertGetCertificate, which have Status of "OK".
> >
> > Then there are a bunch of lines showing "End Entity" that look like
other
> > CAs in the "Trusted Root" store (I think). Some of these show Status
"OK",
> > and some show other statuses, e.g., wrong purpose, etc.
> >
> > I don't see any entries in the CAPIMONUI display for the 2 "Revocation"
> > ("Revocation" and "RevocationDLL") calls.
> >
> > I'm going to try again with a known revoked cert later, but that's what
I'm
> > seeing in CAPIMONUI.
> >
> > Jim
> >
> > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> > news:%234rAqOyFEHA.2664@TK2MSFTNGP11.phx.gbl...
> > > yes, you run CAPIMON on the server. You don't see your client cert
being
> > > checked on the server by IIS?
> > >
> > > --
> > >
> > >
> > > David B. Cross [MS]
> > >
> > > --
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > >
> > > http://support.microsoft.com
> > >
> > > "Ohaya" <ohaya@cox.net> wrote in message
news:406A2419.7FB65A37@cox.net...
> > > > Hi,
> > > >
> > > > Ok, I changed all the "ErrorAll" to "LogAll", and now the 1st 2
entries
> > > > in the output are CertGetCertificate with "End Entity" being my
server
> > > > cert name. Both of these have "Status" of "OK", with "Return" of
> > > > "Success". Then there are the alternating calls with other End
Entity,
> > > > etc., some of which have errors, and some of which succeed.
> > > >
> > > > I don't get any of the "Revocation" calls, either successful or
failed.
> > > >
> > > > I'm not quite sure how much more info this gives?
> > > >
> > > > Jim
> > > >
> > > >
> > > >
> > > > Ohaya wrote:
> > > > >
> > > > > David,
> > > > >
> > > > > I think I've figured out basically how to use CAPIMON.
> > > > >
> > > > > With the default capimon_filter.inf, I did a connect from IE to
IIS5
> > > > > with a client certificate, but I am only getting a series of
> > alternating
> > > > > calls to CertGetCertificateChain and
CertVerifyCertificateChainPolicy,
> > > > > with the End Entity/Root Cert columns showing some of the built-in
> > root
> > > > > cert that come with Windows. None of these have my root CA cert,
and
> > > > > none of the revocation-related calls are listed.
> > > > >
> > > > > I'm suppose to install CAPIMON on my IIS machine, right? Not on
the
> > > > > client machine, right?
> > > > >
> > > > > CAPIMON seems to be a bit "picky". After I do a "capimon -stop",
> > seems
> > > > > like I have to do a reboot before I do another "capimon -start".
> > > > > Otherwise, capimon doesn't seem to record anything.
> > > > >
> > > > > Jim
> > > > >
> > > > > Ohaya wrote:
> > > > > >
> > > > > > David,
> > > > > >
> > > > > > I installed CAPIMON per your suggestion, last night, but I'm
still
> > > trying to
> > > > > > figure out how to use it :). It looks like it installs some
kind of
> > > "shim"
> > > > > > in front of the CryptoAPI? Sorry to ask, but what exactly do
you
> > > suggest I
> > > > > > setup for the filters(?)? I'm trudging my way through the
docs...
> > > > > >
> > > > > > Jim
> > > > > >
> > > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in
message
> > > > > > news:uOIs6xlFEHA.3252@TK2MSFTNGP11.phx.gbl...
> > > > > > > I am not an expert on IIS, but I would need some more
information
> > to
> > > help
> > > > > > > you troubleshoot the issue. Can you install CAPIMON and shim
IIS5
> > > and
> > > > > > > determine what error (or status) is being returned by
CryptoAPI to
> > > IIS?
> > > > > > > That will help us determine if:
> > > > > > >
> > > > > > > 1) CryptoAPI is returning the right status to IIS
> > > > > > >
> > > > > > > 2) Is IIS determining the right action based on this status
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > >
> >
http://www.microsoft.com/downloads/details.aspx?FamilyId=0BFE87A8-4E79-4441-9D4C-0CAB35D49A01&displaylang=en.
> > > > > > >
> > > > > > > --
> > > > > > >
> > > > > > >
> > > > > > > David B. Cross [MS]
> > > > > > >
> > > > > > > --
> > > > > > > This posting is provided "AS IS" with no warranties, and
confers
> > no
> > > > > > rights.
> > > > > > >
> > > > > > > http://support.microsoft.com
> > > > > > >
> > > > > > > "Ohaya" <Ohaya@NO_SPAM.cox.net> wrote in message
> > > > > > > news:ep4er1bFEHA.2308@tk2msftngp13.phx.gbl...
> > > > > > > > David,
> > > > > > > >
> > > > > > > > Just to be clear, with our config, with Win2K/IIS5,
revocation
> > > checking
> > > > > > IS
> > > > > > > > occurring. I can revoke a cert, import the new CRL into the
> > ICA,
> > > and
> > > > > > > voila,
> > > > > > > > connecting using the revoked cert will fail with 403.13.
> > > > > > > >
> > > > > > > > Revocation checking, per se, is NOT the problem.
> > > > > > > >
> > > > > > > > The problem is that when the CRL in the ICA is expired,
things
> > > keep on
> > > > > > > > working just as if the CRL was not expired.
> > > > > > > >
> > > > > > > > Jim
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in
> > message
> > > > > > > > news:ePPgdUZFEHA.3096@TK2MSFTNGP11.phx.gbl...
> > > > > > > > > This may be a nuance with IIS 5.0, but many applications
treat
> > > no CDP
> > > > > > in
> > > > > > > > > certs as an indicator that revocation does not need to be
> > > checked.
> > > > > > > > >
> > > > > > > > > Windows Server 2003 CryptoAPI is a little smarter in that
even
> > > if the
> > > > > > > > > application allows the "no check" status to be interpreted
as
> > > "OK",
> > > > > > > > > CryptoAPI can return a "bad" status if it finds a CRL in
the
> > CA
> > > store.
> > > > > > > > >
> > > > > > > > > As per your reply:
> > > > > > > > >
> > > > > > > > > (again my client certs don't have CDP populated).
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > David B. Cross [MS]
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > This posting is provided "AS IS" with no warranties, and
> > confers
> > > no
> > > > > > > > rights.
> > > > > > > > >
> > > > > > > > > http://support.microsoft.com
> > > > > > > > >
> > > > > > > > > "Ohaya" <ohaya@cox.net> wrote in message
> > > > > > > news:4065F9AB.8B3395C1@cox.net...
> > > > > > > > > > Hi,
> > > > > > > > > >
> > > > > > > > > > I just got done installing Windows 2003 (took me 3 tries
> > :(),
> > > and
> > > > > > > IIS6,
> > > > > > > > > > and in this clean, "out-of-the-box" configuration, I
tested,
> > > and,
> > > > > > > > > > indeed, it appears that:
> > > > > > > > > >
> > > > > > > > > > 1) Win2K3 *DOES* obey the validity period in the CRLs
> > (whereas
> > > > > > Windows
> > > > > > > > > > 2000 AS apparently does not).
> > > > > > > > > >
> > > > > > > > > > 2) Win2K3 *DOES* lock down the website if NO CRL is in
the
> > ICA
> > > store
> > > > > > > > > > (again my client certs don't have CDP populated).
> > > > > > > > > >
> > > > > > > > > > As with the earlier clean-install Win2K AS, this Win2K3
> > > install was
> > > > > > as
> > > > > > > a
> > > > > > > > > > standalone server (no AD and no Certificate Services).
> > > > > > > > > >
> > > > > > > > > > Re. #2 above, I need to add that initially, obviously,
there
> > > was not
> > > > > > a
> > > > > > > > > > CRL stored in the ICA, and in this initial
configuration,
> > IIS6
> > > did
> > > > > > > allow
> > > > > > > > > > connections.
> > > > > > > > > >
> > > > > > > > > > I then did testing using CertMgr to add a CRL (to test
the
> > > validity
> > > > > > > > > > period checking), and after that, I deleted the CRL from
the
> > > ICA.
> > > > > > > > > >
> > > > > > > > > > After I deleted the CRL from the ICA, IIS6 would not
allow
> > > > > > > connections.
> > > > > > > > > >
> > > > > > > > > > Jim
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Ohaya wrote:
> > > > > > > > > > >
> > > > > > > > > > > David,
> > > > > > > > > > >
> > > > > > > > > > > Thank goodness you're still here!!
> > > > > > > > > > >
> > > > > > > > > > > I'll check on CAPIMON and with the registry thing you
> > > pointed to,
> > > > > > > but
> > > > > > > > > FYI,
> > > > > > > > > > > I'm starting to come to the conclusion that this (and
> > > another
> > > > > > > problem)
> > > > > > > > > are
> > > > > > > > > > > Win2K AS-related (vs. Win2K3). Let me try to
explain...
> > > > > > > > > > >
> > > > > > > > > > > Late last year, when I first started testing, I
started
> > with
> > > a
> > > > > > > Win2K3
> > > > > > > > > > > installation. During that time, I began keeping a
project
> > > > > > notebook,
> > > > > > > > > where I
> > > > > > > > > > > commented on my test results (including a lot of the
> > > conversations
> > > > > > I
> > > > > > > > had
> > > > > > > > > > > here and on the inetserver.iis.security NG).
According to
> > > my
> > > > > > notes
> > > > > > > at
> > > > > > > > > that
> > > > > > > > > > > time, I confirmed that Win2K3/IIS6 did a couple of
things
> > > (that
> > > > > > were
> > > > > > > > > good,
> > > > > > > > > > > security-wise):
> > > > > > > > > > >
> > > > > > > > > > > - It obeyed the CRL validity period (Next Update date,
> > > etc.), and
> > > > > > > > > > > - If no CRL was in the ICA store (deleted from store
using
> > > > > > > CertMgr.exe
> > > > > > > > > and
> > > > > > > > > > > confirmed using the MMC Certificates snap-in), IIS6
would
> > > not
> > > > > > allow
> > > > > > > > > > > connections at all for the website.
> > > > > > > > > > >
> > > > > > > > > > > As I continued testing, I eventually got a Win2K AS CD
> > from
> > > my
> > > > > > > > company,
> > > > > > > > > > > since what we were actually going to stand up were
Win2K
> > AS
> > > > > > > machines.
> > > > > > > > > > >
> > > > > > > > > > > From my notes from that time, it appears that I did
not go
> > > back
> > > > > > and
> > > > > > > > > check
> > > > > > > > > > > those 2 behaviors that I mentioned above related to
CRL
> > > > > > processing.
> > > > > > > > > > >
> > > > > > > > > > > I really should have noticed at least the first
problem, a
> > > LONG
> > > > > > time
> > > > > > > > > ago,
> > > > > > > > > > > since the Next Update date on the test CRLs that I got
was
> > > January
> > > > > > > 29,
> > > > > > > > > 2004,
> > > > > > > > > > > but very stupidly on my part, I didn't :(...
> > > > > > > > > > >
> > > > > > > > > > > In other words, we're using these same test CRLs in a
> > couple
> > > of
> > > > > > > > > different
> > > > > > > > > > > test labs (all running Win2K Server or Advanced
Server),
> > and
> > > > > > they're
> > > > > > > > ALL
> > > > > > > > > > > still working, and I didn't even think about it.
Darn!!!
> > > > > > > > > > >
> > > > > > > > > > > Just recently, I started putting together a "Lessons
> > > Learned"
> > > > > > > document
> > > > > > > > > for
> > > > > > > > > > > my company, and actually for our partner community,
and in
> > > > > > beginning
> > > > > > > > to
> > > > > > > > > do
> > > > > > > > > > > that, I started going back through my notes and trying
to
> > > > > > reproduce
> > > > > > > > the
> > > > > > > > > > > results that I had documented in my notes.
> > > > > > > > > > >
> > > > > > > > > > > And, that's when I started finding these
> > > differences/problems.
> > > > > > > > > > >
> > > > > > > > > > > I am going to have to try to recreate my earlier
Win2K3
> > > > > > environment,
> > > > > > > > but
> > > > > > > > > > > I've already created a clean install of Win2K AS
(SP4),
> > and
> > > with
> > > > > > the
> > > > > > > > > Win2K
> > > > > > > > > > > AS, it is definitely working with the expired CRLs,
and
> > IIS5
> > > > > > > > definitely
> > > > > > > > > is
> > > > > > > > > > > not shutting down websites that are SSL (client)
secured
> > > when I
> > > > > > > delete
> > > > > > > > > the
> > > > > > > > > > > CRL from the ICA store.
> > > > > > > > > > >
> > > > > > > > > > > Once I get some time to rebuild a Win2K3 environment,
I'll
> > > try
> > > > > > this
> > > > > > > > > again,
> > > > > > > > > > > but unless my (voluminous) notes are completely
whacked, I
> > > think
> > > > > > > that
> > > > > > > > > I'm
> > > > > > > > > > > going to find that Win2K3 does obey the CRL expiration
> > date
> > > and
> > > > > > does
> > > > > > > > > lock
> > > > > > > > > > > down the SSL (client) secured websites when I delete
the
> > CRL
> > > from
> > > > > > > the
> > > > > > > > > ICA
> > > > > > > > > > > store.
> > > > > > > > > > >
> > > > > > > > > > > Our policy and standard maintenance practices do call
for
> > > ensuring
> > > > > > > > that
> > > > > > > > > the
> > > > > > > > > > > CRLs are both populated and updated, so hopefully this
> > won't
> > > be a
> > > > > > > > > problem,
> > > > > > > > > > > but if things turn out the way I'm alluding to above,
> > these
> > > 2
> > > > > > > problems
> > > > > > > > > seem
> > > > > > > > > > > like a kind of major problem in Win2K AS/IIS5?
> > > > > > > > > > >
> > > > > > > > > > > Will post back, but probably not immediately...
> > > > > > > > > > >
> > > > > > > > > > > Jim
> > > > > > > > > > >
> > > > > > > > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote
in
> > > message
> > > > > > > > > > > news:u18e3pAFEHA.3096@TK2MSFTNGP11.phx.gbl...
> > > > > > > > > > > > As an additional troubleshooting step, you can use
> > CAPIMON
> > > to
> > > > > > > debug
> > > > > > > > > > > exactly
> > > > > > > > > > > > what IIS is doing and what information is being
returned
> > > by
> > > > > > > > CryptoAPI
> > > > > > > > > > > > through CAPIMON:
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > >
> >
http://www.microsoft.com/downloads/details.aspx?FamilyId=0BFE87A8-4E79-4441-9D4C-0CAB35D49A01&displaylang=en.
> > > > > > > > > > > >
> > > > > > > > > > > > --
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > David B. Cross [MS]
> > > > > > > > > > > >
> > > > > > > > > > > > --
> > > > > > > > > > > > This posting is provided "AS IS" with no warranties,
and
> > > confers
> > > > > > > no
> > > > > > > > > > > rights.
> > > > > > > > > > > >
> > > > > > > > > > > > http://support.microsoft.com
> > > > > > > > > > > >
> > > > > > > > > > > > "Ohaya" <ohaya@N_O_S_P_A_M_cox.net> wrote in message
> > > > > > > > > > > > news:4064E434.1B258495@N_O_S_P_A_M_cox.net...
> > > > > > > > > > > > > Hi,
> > > > > > > > > > > > >
> > > > > > > > > > > > > I have a new/clean Win2K Advanced Server
installation
> > > with
> > > > > > IIS5.
> > > > > > > > > This
> > > > > > > > > > > > > machine is a standalone server, i.e., it is not a
> > member
> > > of a
> > > > > > > > > domain,
> > > > > > > > > > > > > and I've updated Win2K through SP4.
> > > > > > > > > > > > >
> > > > > > > > > > > > > The IIS5 website is configured for SSL with client
and
> > > server
> > > > > > > > > > > > > authentication, and that part is working. My
server
> > and
> > > > > > client
> > > > > > > > > certs
> > > > > > > > > > > > > are issued by a 3rd party CA, and all the client
certs
> > > do not
> > > > > > > have
> > > > > > > > > the
> > > > > > > > > > > > > CDP populated.
> > > > > > > > > > > > >
> > > > > > > > > > > > > For my testing earlier, my CA provided me with
several
> > > test
> > > > > > > CRLs,
> > > > > > > > > along
> > > > > > > > > > > > > with associated client certs, and I've been using
> > > CertMgr.exe
> > > > > > to
> > > > > > > > > import
> > > > > > > > > > > > > the test CRLs into the Intermediate Certification
> > > Authorities
> > > > > > > > (ICA)
> > > > > > > > > > > > > store during my testing.
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > However, today I noticed that the test CRLs all
have a
> > > "Next
> > > > > > > > Update"
> > > > > > > > > > > > > date of 1/29/04, and since today is 3/26/04, I
can't
> > > > > > understand
> > > > > > > > how
> > > > > > > > > > > > > these CRLs could still be working. It seems like
they
> > > should
> > > > > > be
> > > > > > > > > > > > > considered invalid and that since IIS5 is calling
> > > CryptoAPI to
> > > > > > > do
> > > > > > > > > the
> > > > > > > > > > > > > CRL checking, that I should be getting some kind
of
> > > error?
> > > > > > > > > > > > >
> > > > > > > > > > > > > I've checked the system date on the server, and
it's
> > > > > > definitely
> > > > > > > > > correct
> > > > > > > > > > > > > (today's date), so I'm really puzzled. I really
have
> > > the
> > > > > > > > impression
> > > > > > > > > > > > > that CryptoAPI (and thus IIS5) would throw some
kind
> > of
> > > error
> > > > > > if
> > > > > > > > the
> > > > > > > > > CRL
> > > > > > > > > > > > > was not within the validity period.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Can someone explain why these
out-of-validity-period
> > > CRLs
> > > > > > still
> > > > > > > > seem
> > > > > > > > > to
> > > > > > > > > > > > > work all right?
> > > > > > > > > > > > >
> > > > > > > > > > > > > Thanks,
> > > > > > > > > > > > > Jim
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > >
> > >



Relevant Pages

  • Re: Problem with IIS5 - "expired" CRLs not working?
    ... If I'm understanding things, CAPIMON shows the calls to CryptoAPI, including ... If I'm interpreting things correctly from the CAPIMONUI output, ... is calling CertVerifyCertificateChainPolicywith flags ... > During a connect with a good client cert, I am getting 4 lines with my ...
    (microsoft.public.inetserver.iis)
  • Re: Problem with IIS5 - "expired" CRLs not working?
    ... During a connect with a good client cert, I am getting 4 lines with my ... root CA name in the "End Entity". ... > the CAPIMONUI display, but the only rows that I see that show an "End ... you run CAPIMON on the server. ...
    (microsoft.public.platformsdk.security)
  • Re: Problem with IIS5 - "expired" CRLs not working?
    ... During a connect with a good client cert, I am getting 4 lines with my ... root CA name in the "End Entity". ... > the CAPIMONUI display, but the only rows that I see that show an "End ... you run CAPIMON on the server. ...
    (microsoft.public.inetserver.iis)