Re: Problem with IIS5 - "expired" CRLs not working?

From: Ohaya (ohaya_at_cox.net)
Date: 03/31/04


Date: Wed, 31 Mar 2004 13:18:29 -0500

David,

BTW, a bit off-topic, but why is it that I only can seem to run CAPIMON
once? If I try -start, then -stop, then -start again, it doesn't seem
to capture anything. I seem to have to reboot the system between
captures in order for it to capture.

Thanks,
Jim

Ohaya wrote:
>
> Hi,
>
> Theory (in lieu of being able to find any information on the
> CERT_CHAIN_POLICY... flags):
>
> If I'm understanding things, CAPIMON shows the calls to CryptoAPI, including
> calls from IIS5 itself, and parameters in such calls.
>
> If I'm interpreting things correctly from the CAPIMONUI output, something
> (presumably IIS5) is calling CertVerifyCertificateChainPolicy() with flags
> that tell CertVerifyCertificateChainPolicy() not to pay attention to the
> time validity of what it's checking, i.e., "Don't worry whether or not any
> of the things you're checking are within their validity period".
>
> Is this possible?
>
> If so, this might seem to explain why IIS5 appears to be ignoring the
> validity period of the CRLs?
>
> Jim
>
> "Ohaya" <ohaya@cox.net> wrote in message news:406AE6FA.EE63FFD6@cox.net...
> > David,
> >
> > Ok, sorry, I missed this.
> >
> > During a connect with a good client cert, I am getting 4 lines with my
> > root CA name in the "End Entity".
> >
> > These 4 lines come in pairs, with the call to CertGetCertificateChain
> > first, then a call to CertVerifyCertificateChainPolicy immediately after
> > that. All 4 calls have Status "OK".
> >
> > I don't know what this means, but I noticed that in the calls to
> > CertVerifyCertificateChainPolicy, it's showing at the bottom:
> >
> > Policy Para:
> > Flags: 0x00000007
> > CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG (0x00000001)
> > CERT_CHAIN_POLICY_IGNORE.... (0x00000002)
> > CERT_CHAIN_................. (0x00000004)
> >
> > What are these? I'm wondering about the "IGNORE_NOT_TIME_VALID" part?
> > Is this saying that CryptoAPI shouldn't check for time validity maybe?
> >
> > Could this be why IIS5 is not considering the client certs revoked when
> > the CRL is expired?
> >
> > Jim
> >
> >
> >
> > Ohaya wrote:
> > >
> > > David,
> > >
> > > I guess the problem might be that I don't know precisely how to
> interpret
> > > the CAPIMONUI display, but the only rows that I see that show an "End
> > > Entity" with my host server cert or my root CA cert name are 2 entries
> at
> > > the very beginning of the CAPIMONUI display, for calls to
> > > CertGetCertificate, which have Status of "OK".
> > >
> > > Then there are a bunch of lines showing "End Entity" that look like
> other
> > > CAs in the "Trusted Root" store (I think). Some of these show Status
> "OK",
> > > and some show other statuses, e.g., wrong purpose, etc.
> > >
> > > I don't see any entries in the CAPIMONUI display for the 2 "Revocation"
> > > ("Revocation" and "RevocationDLL") calls.
> > >
> > > I'm going to try again with a known revoked cert later, but that's what
> I'm
> > > seeing in CAPIMONUI.
> > >
> > > Jim
> > >
> > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> > > news:%234rAqOyFEHA.2664@TK2MSFTNGP11.phx.gbl...
> > > > yes, you run CAPIMON on the server. You don't see your client cert
> being
> > > > checked on the server by IIS?
> > > >
> > > > --
> > > >
> > > >
> > > > David B. Cross [MS]
> > > >
> > > > --
> > > > This posting is provided "AS IS" with no warranties, and confers no
> > > rights.
> > > >
> > > > http://support.microsoft.com
> > > >
> > > > "Ohaya" <ohaya@cox.net> wrote in message
> news:406A2419.7FB65A37@cox.net...
> > > > > Hi,
> > > > >
> > > > > Ok, I changed all the "ErrorAll" to "LogAll", and now the 1st 2
> entries
> > > > > in the output are CertGetCertificate with "End Entity" being my
> server
> > > > > cert name. Both of these have "Status" of "OK", with "Return" of
> > > > > "Success". Then there are the alternating calls with other End
> Entity,
> > > > > etc., some of which have errors, and some of which succeed.
> > > > >
> > > > > I don't get any of the "Revocation" calls, either successful or
> failed.
> > > > >
> > > > > I'm not quite sure how much more info this gives?
> > > > >
> > > > > Jim
> > > > >
> > > > >
> > > > >
> > > > > Ohaya wrote:
> > > > > >
> > > > > > David,
> > > > > >
> > > > > > I think I've figured out basically how to use CAPIMON.
> > > > > >
> > > > > > With the default capimon_filter.inf, I did a connect from IE to
> IIS5
> > > > > > with a client certificate, but I am only getting a series of
> > > alternating
> > > > > > calls to CertGetCertificateChain and
> CertVerifyCertificateChainPolicy,
> > > > > > with the End Entity/Root Cert columns showing some of the built-in
> > > root
> > > > > > cert that come with Windows. None of these have my root CA cert,
> and
> > > > > > none of the revocation-related calls are listed.
> > > > > >
> > > > > > I'm suppose to install CAPIMON on my IIS machine, right? Not on
> the
> > > > > > client machine, right?
> > > > > >
> > > > > > CAPIMON seems to be a bit "picky". After I do a "capimon -stop",
> > > seems
> > > > > > like I have to do a reboot before I do another "capimon -start".
> > > > > > Otherwise, capimon doesn't seem to record anything.
> > > > > >
> > > > > > Jim
> > > > > >
> > > > > > Ohaya wrote:
> > > > > > >
> > > > > > > David,
> > > > > > >
> > > > > > > I installed CAPIMON per your suggestion, last night, but I'm
> still
> > > > trying to
> > > > > > > figure out how to use it :). It looks like it installs some
> kind of
> > > > "shim"
> > > > > > > in front of the CryptoAPI? Sorry to ask, but what exactly do
> you
> > > > suggest I
> > > > > > > setup for the filters(?)? I'm trudging my way through the
> docs...
> > > > > > >
> > > > > > > Jim
> > > > > > >
> > > > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in
> message
> > > > > > > news:uOIs6xlFEHA.3252@TK2MSFTNGP11.phx.gbl...
> > > > > > > > I am not an expert on IIS, but I would need some more
> information
> > > to
> > > > help
> > > > > > > > you troubleshoot the issue. Can you install CAPIMON and shim
> IIS5
> > > > and
> > > > > > > > determine what error (or status) is being returned by
> CryptoAPI to
> > > > IIS?
> > > > > > > > That will help us determine if:
> > > > > > > >
> > > > > > > > 1) CryptoAPI is returning the right status to IIS
> > > > > > > >
> > > > > > > > 2) Is IIS determining the right action based on this status
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > >
> > >
> http://www.microsoft.com/downloads/details.aspx?FamilyId=0BFE87A8-4E79-4441-9D4C-0CAB35D49A01&displaylang=en.
> > > > > > > >
> > > > > > > > --
> > > > > > > >
> > > > > > > >
> > > > > > > > David B. Cross [MS]
> > > > > > > >
> > > > > > > > --
> > > > > > > > This posting is provided "AS IS" with no warranties, and
> confers
> > > no
> > > > > > > rights.
> > > > > > > >
> > > > > > > > http://support.microsoft.com
> > > > > > > >
> > > > > > > > "Ohaya" <Ohaya@NO_SPAM.cox.net> wrote in message
> > > > > > > > news:ep4er1bFEHA.2308@tk2msftngp13.phx.gbl...
> > > > > > > > > David,
> > > > > > > > >
> > > > > > > > > Just to be clear, with our config, with Win2K/IIS5,
> revocation
> > > > checking
> > > > > > > IS
> > > > > > > > > occurring. I can revoke a cert, import the new CRL into the
> > > ICA,
> > > > and
> > > > > > > > voila,
> > > > > > > > > connecting using the revoked cert will fail with 403.13.
> > > > > > > > >
> > > > > > > > > Revocation checking, per se, is NOT the problem.
> > > > > > > > >
> > > > > > > > > The problem is that when the CRL in the ICA is expired,
> things
> > > > keep on
> > > > > > > > > working just as if the CRL was not expired.
> > > > > > > > >
> > > > > > > > > Jim
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in
> > > message
> > > > > > > > > news:ePPgdUZFEHA.3096@TK2MSFTNGP11.phx.gbl...
> > > > > > > > > > This may be a nuance with IIS 5.0, but many applications
> treat
> > > > no CDP
> > > > > > > in
> > > > > > > > > > certs as an indicator that revocation does not need to be
> > > > checked.
> > > > > > > > > >
> > > > > > > > > > Windows Server 2003 CryptoAPI is a little smarter in that
> even
> > > > if the
> > > > > > > > > > application allows the "no check" status to be interpreted
> as
> > > > "OK",
> > > > > > > > > > CryptoAPI can return a "bad" status if it finds a CRL in
> the
> > > CA
> > > > store.
> > > > > > > > > >
> > > > > > > > > > As per your reply:
> > > > > > > > > >
> > > > > > > > > > (again my client certs don't have CDP populated).
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > David B. Cross [MS]
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > This posting is provided "AS IS" with no warranties, and
> > > confers
> > > > no
> > > > > > > > > rights.
> > > > > > > > > >
> > > > > > > > > > http://support.microsoft.com
> > > > > > > > > >
> > > > > > > > > > "Ohaya" <ohaya@cox.net> wrote in message
> > > > > > > > news:4065F9AB.8B3395C1@cox.net...
> > > > > > > > > > > Hi,
> > > > > > > > > > >
> > > > > > > > > > > I just got done installing Windows 2003 (took me 3 tries
> > > :(),
> > > > and
> > > > > > > > IIS6,
> > > > > > > > > > > and in this clean, "out-of-the-box" configuration, I
> tested,
> > > > and,
> > > > > > > > > > > indeed, it appears that:
> > > > > > > > > > >
> > > > > > > > > > > 1) Win2K3 *DOES* obey the validity period in the CRLs
> > > (whereas
> > > > > > > Windows
> > > > > > > > > > > 2000 AS apparently does not).
> > > > > > > > > > >
> > > > > > > > > > > 2) Win2K3 *DOES* lock down the website if NO CRL is in
> the
> > > ICA
> > > > store
> > > > > > > > > > > (again my client certs don't have CDP populated).
> > > > > > > > > > >
> > > > > > > > > > > As with the earlier clean-install Win2K AS, this Win2K3
> > > > install was
> > > > > > > as
> > > > > > > > a
> > > > > > > > > > > standalone server (no AD and no Certificate Services).
> > > > > > > > > > >
> > > > > > > > > > > Re. #2 above, I need to add that initially, obviously,
> there
> > > > was not
> > > > > > > a
> > > > > > > > > > > CRL stored in the ICA, and in this initial
> configuration,
> > > IIS6
> > > > did
> > > > > > > > allow
> > > > > > > > > > > connections.
> > > > > > > > > > >
> > > > > > > > > > > I then did testing using CertMgr to add a CRL (to test
> the
> > > > validity
> > > > > > > > > > > period checking), and after that, I deleted the CRL from
> the
> > > > ICA.
> > > > > > > > > > >
> > > > > > > > > > > After I deleted the CRL from the ICA, IIS6 would not
> allow
> > > > > > > > connections.
> > > > > > > > > > >
> > > > > > > > > > > Jim
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Ohaya wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > David,
> > > > > > > > > > > >
> > > > > > > > > > > > Thank goodness you're still here!!
> > > > > > > > > > > >
> > > > > > > > > > > > I'll check on CAPIMON and with the registry thing you
> > > > pointed to,
> > > > > > > > but
> > > > > > > > > > FYI,
> > > > > > > > > > > > I'm starting to come to the conclusion that this (and
> > > > another
> > > > > > > > problem)
> > > > > > > > > > are
> > > > > > > > > > > > Win2K AS-related (vs. Win2K3). Let me try to
> explain...
> > > > > > > > > > > >
> > > > > > > > > > > > Late last year, when I first started testing, I
> started
> > > with
> > > > a
> > > > > > > > Win2K3
> > > > > > > > > > > > installation. During that time, I began keeping a
> project
> > > > > > > notebook,
> > > > > > > > > > where I
> > > > > > > > > > > > commented on my test results (including a lot of the
> > > > conversations
> > > > > > > I
> > > > > > > > > had
> > > > > > > > > > > > here and on the inetserver.iis.security NG).
> According to
> > > > my
> > > > > > > notes
> > > > > > > > at
> > > > > > > > > > that
> > > > > > > > > > > > time, I confirmed that Win2K3/IIS6 did a couple of
> things
> > > > (that
> > > > > > > were
> > > > > > > > > > good,
> > > > > > > > > > > > security-wise):
> > > > > > > > > > > >
> > > > > > > > > > > > - It obeyed the CRL validity period (Next Update date,
> > > > etc.), and
> > > > > > > > > > > > - If no CRL was in the ICA store (deleted from store
> using
> > > > > > > > CertMgr.exe
> > > > > > > > > > and
> > > > > > > > > > > > confirmed using the MMC Certificates snap-in), IIS6
> would
> > > > not
> > > > > > > allow
> > > > > > > > > > > > connections at all for the website.
> > > > > > > > > > > >
> > > > > > > > > > > > As I continued testing, I eventually got a Win2K AS CD
> > > from
> > > > my
> > > > > > > > > company,
> > > > > > > > > > > > since what we were actually going to stand up were
> Win2K
> > > AS
> > > > > > > > machines.
> > > > > > > > > > > >
> > > > > > > > > > > > From my notes from that time, it appears that I did
> not go
> > > > back
> > > > > > > and
> > > > > > > > > > check
> > > > > > > > > > > > those 2 behaviors that I mentioned above related to
> CRL
> > > > > > > processing.
> > > > > > > > > > > >
> > > > > > > > > > > > I really should have noticed at least the first
> problem, a
> > > > LONG
> > > > > > > time
> > > > > > > > > > ago,
> > > > > > > > > > > > since the Next Update date on the test CRLs that I got
> was
> > > > January
> > > > > > > > 29,
> > > > > > > > > > 2004,
> > > > > > > > > > > > but very stupidly on my part, I didn't :(...
> > > > > > > > > > > >
> > > > > > > > > > > > In other words, we're using these same test CRLs in a
> > > couple
> > > > of
> > > > > > > > > > different
> > > > > > > > > > > > test labs (all running Win2K Server or Advanced
> Server),
> > > and
> > > > > > > they're
> > > > > > > > > ALL
> > > > > > > > > > > > still working, and I didn't even think about it.
> Darn!!!
> > > > > > > > > > > >
> > > > > > > > > > > > Just recently, I started putting together a "Lessons
> > > > Learned"
> > > > > > > > document
> > > > > > > > > > for
> > > > > > > > > > > > my company, and actually for our partner community,
> and in
> > > > > > > beginning
> > > > > > > > > to
> > > > > > > > > > do
> > > > > > > > > > > > that, I started going back through my notes and trying
> to
> > > > > > > reproduce
> > > > > > > > > the
> > > > > > > > > > > > results that I had documented in my notes.
> > > > > > > > > > > >
> > > > > > > > > > > > And, that's when I started finding these
> > > > differences/problems.
> > > > > > > > > > > >
> > > > > > > > > > > > I am going to have to try to recreate my earlier
> Win2K3
> > > > > > > environment,
> > > > > > > > > but
> > > > > > > > > > > > I've already created a clean install of Win2K AS
> (SP4),
> > > and
> > > > with
> > > > > > > the
> > > > > > > > > > Win2K
> > > > > > > > > > > > AS, it is definitely working with the expired CRLs,
> and
> > > IIS5
> > > > > > > > > definitely
> > > > > > > > > > is
> > > > > > > > > > > > not shutting down websites that are SSL (client)
> secured
> > > > when I
> > > > > > > > delete
> > > > > > > > > > the
> > > > > > > > > > > > CRL from the ICA store.
> > > > > > > > > > > >
> > > > > > > > > > > > Once I get some time to rebuild a Win2K3 environment,
> I'll
> > > > try
> > > > > > > this
> > > > > > > > > > again,
> > > > > > > > > > > > but unless my (voluminous) notes are completely
> whacked, I
> > > > think
> > > > > > > > that
> > > > > > > > > > I'm
> > > > > > > > > > > > going to find that Win2K3 does obey the CRL expiration
> > > date
> > > > and
> > > > > > > does
> > > > > > > > > > lock
> > > > > > > > > > > > down the SSL (client) secured websites when I delete
> the
> > > CRL
> > > > from
> > > > > > > > the
> > > > > > > > > > ICA
> > > > > > > > > > > > store.
> > > > > > > > > > > >
> > > > > > > > > > > > Our policy and standard maintenance practices do call
> for
> > > > ensuring
> > > > > > > > > that
> > > > > > > > > > the
> > > > > > > > > > > > CRLs are both populated and updated, so hopefully this
> > > won't
> > > > be a
> > > > > > > > > > problem,
> > > > > > > > > > > > but if things turn out the way I'm alluding to above,
> > > these
> > > > 2
> > > > > > > > problems
> > > > > > > > > > seem
> > > > > > > > > > > > like a kind of major problem in Win2K AS/IIS5?
> > > > > > > > > > > >
> > > > > > > > > > > > Will post back, but probably not immediately...
> > > > > > > > > > > >
> > > > > > > > > > > > Jim
> > > > > > > > > > > >
> > > > > > > > > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote
> in
> > > > message
> > > > > > > > > > > > news:u18e3pAFEHA.3096@TK2MSFTNGP11.phx.gbl...
> > > > > > > > > > > > > As an additional troubleshooting step, you can use
> > > CAPIMON
> > > > to
> > > > > > > > debug
> > > > > > > > > > > > exactly
> > > > > > > > > > > > > what IIS is doing and what information is being
> returned
> > > > by
> > > > > > > > > CryptoAPI
> > > > > > > > > > > > > through CAPIMON:
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > >
> > >
> http://www.microsoft.com/downloads/details.aspx?FamilyId=0BFE87A8-4E79-4441-9D4C-0CAB35D49A01&displaylang=en.
> > > > > > > > > > > > >
> > > > > > > > > > > > > --
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > David B. Cross [MS]
> > > > > > > > > > > > >
> > > > > > > > > > > > > --
> > > > > > > > > > > > > This posting is provided "AS IS" with no warranties,
> and
> > > > confers
> > > > > > > > no
> > > > > > > > > > > > rights.
> > > > > > > > > > > > >
> > > > > > > > > > > > > http://support.microsoft.com
> > > > > > > > > > > > >
> > > > > > > > > > > > > "Ohaya" <ohaya@N_O_S_P_A_M_cox.net> wrote in message
> > > > > > > > > > > > > news:4064E434.1B258495@N_O_S_P_A_M_cox.net...
> > > > > > > > > > > > > > Hi,
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > I have a new/clean Win2K Advanced Server
> installation
> > > > with
> > > > > > > IIS5.
> > > > > > > > > > This
> > > > > > > > > > > > > > machine is a standalone server, i.e., it is not a
> > > member
> > > > of a
> > > > > > > > > > domain,
> > > > > > > > > > > > > > and I've updated Win2K through SP4.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > The IIS5 website is configured for SSL with client
> and
> > > > server
> > > > > > > > > > > > > > authentication, and that part is working. My
> server
> > > and
> > > > > > > client
> > > > > > > > > > certs
> > > > > > > > > > > > > > are issued by a 3rd party CA, and all the client
> certs
> > > > do not
> > > > > > > > have
> > > > > > > > > > the
> > > > > > > > > > > > > > CDP populated.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > For my testing earlier, my CA provided me with
> several
> > > > test
> > > > > > > > CRLs,
> > > > > > > > > > along
> > > > > > > > > > > > > > with associated client certs, and I've been using
> > > > CertMgr.exe
> > > > > > > to
> > > > > > > > > > import
> > > > > > > > > > > > > > the test CRLs into the Intermediate Certification
> > > > Authorities
> > > > > > > > > (ICA)
> > > > > > > > > > > > > > store during my testing.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > However, today I noticed that the test CRLs all
> have a
> > > > "Next
> > > > > > > > > Update"
> > > > > > > > > > > > > > date of 1/29/04, and since today is 3/26/04, I
> can't
> > > > > > > understand
> > > > > > > > > how
> > > > > > > > > > > > > > these CRLs could still be working. It seems like
> they
> > > > should
> > > > > > > be
> > > > > > > > > > > > > > considered invalid and that since IIS5 is calling
> > > > CryptoAPI to
> > > > > > > > do
> > > > > > > > > > the
> > > > > > > > > > > > > > CRL checking, that I should be getting some kind
> of
> > > > error?
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > I've checked the system date on the server, and
> it's
> > > > > > > definitely
> > > > > > > > > > correct
> > > > > > > > > > > > > > (today's date), so I'm really puzzled. I really
> have
> > > > the
> > > > > > > > > impression
> > > > > > > > > > > > > > that CryptoAPI (and thus IIS5) would throw some
> kind
> > > of
> > > > error
> > > > > > > if
> > > > > > > > > the
> > > > > > > > > > CRL
> > > > > > > > > > > > > > was not within the validity period.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Can someone explain why these
> out-of-validity-period
> > > > CRLs
> > > > > > > still
> > > > > > > > > seem
> > > > > > > > > > to
> > > > > > > > > > > > > > work all right?
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Thanks,
> > > > > > > > > > > > > > Jim
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > >
> > > >



Relevant Pages

  • Re: Problem with IIS5 - "expired" CRLs not working?
    ... BTW, a bit off-topic, but why is it that I only can seem to run CAPIMON ... > of the things you're checking are within their validity period". ... >> the CRL is expired? ... > Server), ...
    (microsoft.public.inetserver.iis)
  • Re: Problem with IIS5 - "expired" CRLs not working?
    ... you run CAPIMON on the server. ... You don't see your client cert being ... >> I think I've figured out basically how to use CAPIMON. ...
    (microsoft.public.inetserver.iis)
  • Re: Problem with IIS5 - "expired" CRLs not working?
    ... you run CAPIMON on the server. ... You don't see your client cert being ... >> I think I've figured out basically how to use CAPIMON. ...
    (microsoft.public.platformsdk.security)
  • Re: Certificates Trust List
    ... I managed to run capimon - sdbinst.exe was missing on my machine... ... CertDllVerifyRevocation Parameters: ... It seems it checks for crl for the offline root ca I trust.... ... >> This posting is provided "AS IS" with no warranties, and confers no rights. ...
    (microsoft.public.windows.server.security)