Re: Problem with IIS5 - "expired" CRLs not working?
From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 04/02/04
- Next message: Drew Cooper [MSFT]: "Re: DACL to readable name."
- Previous message: John Banes [MS]: "Re: Secure Storage"
- In reply to: Ohaya: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 1 Apr 2004 14:08:37 -0800
To close on this mail thread with everyone, we believe we have found a
hotfix with IIS 5.0 that corrects this problem.
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. http://support.microsoft.com "Ohaya" <Ohaya@NO_SPAM.cox.net> wrote in message news:ea8qMwzFEHA.2428@tk2msftngp13.phx.gbl... > Hi, > > Theory (in lieu of being able to find any information on the > CERT_CHAIN_POLICY... flags): > > If I'm understanding things, CAPIMON shows the calls to CryptoAPI, including > calls from IIS5 itself, and parameters in such calls. > > If I'm interpreting things correctly from the CAPIMONUI output, something > (presumably IIS5) is calling CertVerifyCertificateChainPolicy() with flags > that tell CertVerifyCertificateChainPolicy() not to pay attention to the > time validity of what it's checking, i.e., "Don't worry whether or not any > of the things you're checking are within their validity period". > > Is this possible? > > If so, this might seem to explain why IIS5 appears to be ignoring the > validity period of the CRLs? > > Jim > > > > "Ohaya" <ohaya@cox.net> wrote in message news:406AE6FA.EE63FFD6@cox.net... > > David, > > > > Ok, sorry, I missed this. > > > > During a connect with a good client cert, I am getting 4 lines with my > > root CA name in the "End Entity". > > > > These 4 lines come in pairs, with the call to CertGetCertificateChain > > first, then a call to CertVerifyCertificateChainPolicy immediately after > > that. All 4 calls have Status "OK". > > > > I don't know what this means, but I noticed that in the calls to > > CertVerifyCertificateChainPolicy, it's showing at the bottom: > > > > Policy Para: > > Flags: 0x00000007 > > CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG (0x00000001) > > CERT_CHAIN_POLICY_IGNORE.... (0x00000002) > > CERT_CHAIN_................. (0x00000004) > > > > What are these? I'm wondering about the "IGNORE_NOT_TIME_VALID" part? > > Is this saying that CryptoAPI shouldn't check for time validity maybe? > > > > Could this be why IIS5 is not considering the client certs revoked when > > the CRL is expired? > > > > Jim > > > > > > > > Ohaya wrote: > > > > > > David, > > > > > > I guess the problem might be that I don't know precisely how to > interpret > > > the CAPIMONUI display, but the only rows that I see that show an "End > > > Entity" with my host server cert or my root CA cert name are 2 entries > at > > > the very beginning of the CAPIMONUI display, for calls to > > > CertGetCertificate, which have Status of "OK". > > > > > > Then there are a bunch of lines showing "End Entity" that look like > other > > > CAs in the "Trusted Root" store (I think). Some of these show Status > "OK", > > > and some show other statuses, e.g., wrong purpose, etc. > > > > > > I don't see any entries in the CAPIMONUI display for the 2 "Revocation" > > > ("Revocation" and "RevocationDLL") calls. > > > > > > I'm going to try again with a known revoked cert later, but that's what > I'm > > > seeing in CAPIMONUI. > > > > > > Jim > > > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message > > > news:%234rAqOyFEHA.2664@TK2MSFTNGP11.phx.gbl... > > > > yes, you run CAPIMON on the server. You don't see your client cert > being > > > > checked on the server by IIS? > > > > > > > > -- > > > > > > > > > > > > David B. Cross [MS] > > > > > > > > -- > > > > This posting is provided "AS IS" with no warranties, and confers no > > > rights. > > > > > > > > http://support.microsoft.com > > > > > > > > "Ohaya" <ohaya@cox.net> wrote in message > news:406A2419.7FB65A37@cox.net... > > > > > Hi, > > > > > > > > > > Ok, I changed all the "ErrorAll" to "LogAll", and now the 1st 2 > entries > > > > > in the output are CertGetCertificate with "End Entity" being my > server > > > > > cert name. Both of these have "Status" of "OK", with "Return" of > > > > > "Success". Then there are the alternating calls with other End > Entity, > > > > > etc., some of which have errors, and some of which succeed. > > > > > > > > > > I don't get any of the "Revocation" calls, either successful or > failed. > > > > > > > > > > I'm not quite sure how much more info this gives? > > > > > > > > > > Jim > > > > > > > > > > > > > > > > > > > > Ohaya wrote: > > > > > > > > > > > > David, > > > > > > > > > > > > I think I've figured out basically how to use CAPIMON. > > > > > > > > > > > > With the default capimon_filter.inf, I did a connect from IE to > IIS5 > > > > > > with a client certificate, but I am only getting a series of > > > alternating > > > > > > calls to CertGetCertificateChain and > CertVerifyCertificateChainPolicy, > > > > > > with the End Entity/Root Cert columns showing some of the built-in > > > root > > > > > > cert that come with Windows. None of these have my root CA cert, > and > > > > > > none of the revocation-related calls are listed. > > > > > > > > > > > > I'm suppose to install CAPIMON on my IIS machine, right? Not on > the > > > > > > client machine, right? > > > > > > > > > > > > CAPIMON seems to be a bit "picky". After I do a "capimon -stop", > > > seems > > > > > > like I have to do a reboot before I do another "capimon -start". > > > > > > Otherwise, capimon doesn't seem to record anything. > > > > > > > > > > > > Jim > > > > > > > > > > > > Ohaya wrote: > > > > > > > > > > > > > > David, > > > > > > > > > > > > > > I installed CAPIMON per your suggestion, last night, but I'm > still > > > > trying to > > > > > > > figure out how to use it :). It looks like it installs some > kind of > > > > "shim" > > > > > > > in front of the CryptoAPI? Sorry to ask, but what exactly do > you > > > > suggest I > > > > > > > setup for the filters(?)? I'm trudging my way through the > docs... > > > > > > > > > > > > > > Jim > > > > > > > > > > > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in > message > > > > > > > news:uOIs6xlFEHA.3252@TK2MSFTNGP11.phx.gbl... > > > > > > > > I am not an expert on IIS, but I would need some more > information > > > to > > > > help > > > > > > > > you troubleshoot the issue. Can you install CAPIMON and shim > IIS5 > > > > and > > > > > > > > determine what error (or status) is being returned by > CryptoAPI to > > > > IIS? > > > > > > > > That will help us determine if: > > > > > > > > > > > > > > > > 1) CryptoAPI is returning the right status to IIS > > > > > > > > > > > > > > > > 2) Is IIS determining the right action based on this status > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://www.microsoft.com/downloads/details.aspx?FamilyId=0BFE87A8-4E79-4441-9D4C-0CAB35D49A01&displaylang=en. > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > > > > > > > > > > > David B. Cross [MS] > > > > > > > > > > > > > > > > -- > > > > > > > > This posting is provided "AS IS" with no warranties, and > confers > > > no > > > > > > > rights. > > > > > > > > > > > > > > > > http://support.microsoft.com > > > > > > > > > > > > > > > > "Ohaya" <Ohaya@NO_SPAM.cox.net> wrote in message > > > > > > > > news:ep4er1bFEHA.2308@tk2msftngp13.phx.gbl... > > > > > > > > > David, > > > > > > > > > > > > > > > > > > Just to be clear, with our config, with Win2K/IIS5, > revocation > > > > checking > > > > > > > IS > > > > > > > > > occurring. I can revoke a cert, import the new CRL into the > > > ICA, > > > > and > > > > > > > > voila, > > > > > > > > > connecting using the revoked cert will fail with 403.13. > > > > > > > > > > > > > > > > > > Revocation checking, per se, is NOT the problem. > > > > > > > > > > > > > > > > > > The problem is that when the CRL in the ICA is expired, > things > > > > keep on > > > > > > > > > working just as if the CRL was not expired. > > > > > > > > > > > > > > > > > > Jim > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in > > > message > > > > > > > > > news:ePPgdUZFEHA.3096@TK2MSFTNGP11.phx.gbl... > > > > > > > > > > This may be a nuance with IIS 5.0, but many applications > treat > > > > no CDP > > > > > > > in > > > > > > > > > > certs as an indicator that revocation does not need to be > > > > checked. > > > > > > > > > > > > > > > > > > > > Windows Server 2003 CryptoAPI is a little smarter in that > even > > > > if the > > > > > > > > > > application allows the "no check" status to be interpreted > as > > > > "OK", > > > > > > > > > > CryptoAPI can return a "bad" status if it finds a CRL in > the > > > CA > > > > store. > > > > > > > > > > > > > > > > > > > > As per your reply: > > > > > > > > > > > > > > > > > > > > (again my client certs don't have CDP populated). > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > David B. Cross [MS] > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > This posting is provided "AS IS" with no warranties, and > > > confers > > > > no > > > > > > > > > rights. > > > > > > > > > > > > > > > > > > > > http://support.microsoft.com > > > > > > > > > > > > > > > > > > > > "Ohaya" <ohaya@cox.net> wrote in message > > > > > > > > news:4065F9AB.8B3395C1@cox.net... > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > > > > > I just got done installing Windows 2003 (took me 3 tries > > > :(), > > > > and > > > > > > > > IIS6, > > > > > > > > > > > and in this clean, "out-of-the-box" configuration, I > tested, > > > > and, > > > > > > > > > > > indeed, it appears that: > > > > > > > > > > > > > > > > > > > > > > 1) Win2K3 *DOES* obey the validity period in the CRLs > > > (whereas > > > > > > > Windows > > > > > > > > > > > 2000 AS apparently does not). > > > > > > > > > > > > > > > > > > > > > > 2) Win2K3 *DOES* lock down the website if NO CRL is in > the > > > ICA > > > > store > > > > > > > > > > > (again my client certs don't have CDP populated). > > > > > > > > > > > > > > > > > > > > > > As with the earlier clean-install Win2K AS, this Win2K3 > > > > install was > > > > > > > as > > > > > > > > a > > > > > > > > > > > standalone server (no AD and no Certificate Services). > > > > > > > > > > > > > > > > > > > > > > Re. #2 above, I need to add that initially, obviously, > there > > > > was not > > > > > > > a > > > > > > > > > > > CRL stored in the ICA, and in this initial > configuration, > > > IIS6 > > > > did > > > > > > > > allow > > > > > > > > > > > connections. > > > > > > > > > > > > > > > > > > > > > > I then did testing using CertMgr to add a CRL (to test > the > > > > validity > > > > > > > > > > > period checking), and after that, I deleted the CRL from > the > > > > ICA. > > > > > > > > > > > > > > > > > > > > > > After I deleted the CRL from the ICA, IIS6 would not > allow > > > > > > > > connections. > > > > > > > > > > > > > > > > > > > > > > Jim > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Ohaya wrote: > > > > > > > > > > > > > > > > > > > > > > > > David, > > > > > > > > > > > > > > > > > > > > > > > > Thank goodness you're still here!! > > > > > > > > > > > > > > > > > > > > > > > > I'll check on CAPIMON and with the registry thing you > > > > pointed to, > > > > > > > > but > > > > > > > > > > FYI, > > > > > > > > > > > > I'm starting to come to the conclusion that this (and > > > > another > > > > > > > > problem) > > > > > > > > > > are > > > > > > > > > > > > Win2K AS-related (vs. Win2K3). Let me try to > explain... > > > > > > > > > > > > > > > > > > > > > > > > Late last year, when I first started testing, I > started > > > with > > > > a > > > > > > > > Win2K3 > > > > > > > > > > > > installation. During that time, I began keeping a > project > > > > > > > notebook, > > > > > > > > > > where I > > > > > > > > > > > > commented on my test results (including a lot of the > > > > conversations > > > > > > > I > > > > > > > > > had > > > > > > > > > > > > here and on the inetserver.iis.security NG). > According to > > > > my > > > > > > > notes > > > > > > > > at > > > > > > > > > > that > > > > > > > > > > > > time, I confirmed that Win2K3/IIS6 did a couple of > things > > > > (that > > > > > > > were > > > > > > > > > > good, > > > > > > > > > > > > security-wise): > > > > > > > > > > > > > > > > > > > > > > > > - It obeyed the CRL validity period (Next Update date, > > > > etc.), and > > > > > > > > > > > > - If no CRL was in the ICA store (deleted from store > using > > > > > > > > CertMgr.exe > > > > > > > > > > and > > > > > > > > > > > > confirmed using the MMC Certificates snap-in), IIS6 > would > > > > not > > > > > > > allow > > > > > > > > > > > > connections at all for the website. > > > > > > > > > > > > > > > > > > > > > > > > As I continued testing, I eventually got a Win2K AS CD > > > from > > > > my > > > > > > > > > company, > > > > > > > > > > > > since what we were actually going to stand up were > Win2K > > > AS > > > > > > > > machines. > > > > > > > > > > > > > > > > > > > > > > > > From my notes from that time, it appears that I did > not go > > > > back > > > > > > > and > > > > > > > > > > check > > > > > > > > > > > > those 2 behaviors that I mentioned above related to > CRL > > > > > > > processing. > > > > > > > > > > > > > > > > > > > > > > > > I really should have noticed at least the first > problem, a > > > > LONG > > > > > > > time > > > > > > > > > > ago, > > > > > > > > > > > > since the Next Update date on the test CRLs that I got > was > > > > January > > > > > > > > 29, > > > > > > > > > > 2004, > > > > > > > > > > > > but very stupidly on my part, I didn't :(... > > > > > > > > > > > > > > > > > > > > > > > > In other words, we're using these same test CRLs in a > > > couple > > > > of > > > > > > > > > > different > > > > > > > > > > > > test labs (all running Win2K Server or Advanced > Server), > > > and > > > > > > > they're > > > > > > > > > ALL > > > > > > > > > > > > still working, and I didn't even think about it. > Darn!!! > > > > > > > > > > > > > > > > > > > > > > > > Just recently, I started putting together a "Lessons > > > > Learned" > > > > > > > > document > > > > > > > > > > for > > > > > > > > > > > > my company, and actually for our partner community, > and in > > > > > > > beginning > > > > > > > > > to > > > > > > > > > > do > > > > > > > > > > > > that, I started going back through my notes and trying > to > > > > > > > reproduce > > > > > > > > > the > > > > > > > > > > > > results that I had documented in my notes. > > > > > > > > > > > > > > > > > > > > > > > > And, that's when I started finding these > > > > differences/problems. > > > > > > > > > > > > > > > > > > > > > > > > I am going to have to try to recreate my earlier > Win2K3 > > > > > > > environment, > > > > > > > > > but > > > > > > > > > > > > I've already created a clean install of Win2K AS > (SP4), > > > and > > > > with > > > > > > > the > > > > > > > > > > Win2K > > > > > > > > > > > > AS, it is definitely working with the expired CRLs, > and > > > IIS5 > > > > > > > > > definitely > > > > > > > > > > is > > > > > > > > > > > > not shutting down websites that are SSL (client) > secured > > > > when I > > > > > > > > delete > > > > > > > > > > the > > > > > > > > > > > > CRL from the ICA store. > > > > > > > > > > > > > > > > > > > > > > > > Once I get some time to rebuild a Win2K3 environment, > I'll > > > > try > > > > > > > this > > > > > > > > > > again, > > > > > > > > > > > > but unless my (voluminous) notes are completely > whacked, I > > > > think > > > > > > > > that > > > > > > > > > > I'm > > > > > > > > > > > > going to find that Win2K3 does obey the CRL expiration > > > date > > > > and > > > > > > > does > > > > > > > > > > lock > > > > > > > > > > > > down the SSL (client) secured websites when I delete > the > > > CRL > > > > from > > > > > > > > the > > > > > > > > > > ICA > > > > > > > > > > > > store. > > > > > > > > > > > > > > > > > > > > > > > > Our policy and standard maintenance practices do call > for > > > > ensuring > > > > > > > > > that > > > > > > > > > > the > > > > > > > > > > > > CRLs are both populated and updated, so hopefully this > > > won't > > > > be a > > > > > > > > > > problem, > > > > > > > > > > > > but if things turn out the way I'm alluding to above, > > > these > > > > 2 > > > > > > > > problems > > > > > > > > > > seem > > > > > > > > > > > > like a kind of major problem in Win2K AS/IIS5? > > > > > > > > > > > > > > > > > > > > > > > > Will post back, but probably not immediately... > > > > > > > > > > > > > > > > > > > > > > > > Jim > > > > > > > > > > > > > > > > > > > > > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote > in > > > > message > > > > > > > > > > > > news:u18e3pAFEHA.3096@TK2MSFTNGP11.phx.gbl... > > > > > > > > > > > > > As an additional troubleshooting step, you can use > > > CAPIMON > > > > to > > > > > > > > debug > > > > > > > > > > > > exactly > > > > > > > > > > > > > what IIS is doing and what information is being > returned > > > > by > > > > > > > > > CryptoAPI > > > > > > > > > > > > > through CAPIMON: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://www.microsoft.com/downloads/details.aspx?FamilyId=0BFE87A8-4E79-4441-9D4C-0CAB35D49A01&displaylang=en. > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > David B. Cross [MS] > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > This posting is provided "AS IS" with no warranties, > and > > > > confers > > > > > > > > no > > > > > > > > > > > > rights. > > > > > > > > > > > > > > > > > > > > > > > > > > http://support.microsoft.com > > > > > > > > > > > > > > > > > > > > > > > > > > "Ohaya" <ohaya@N_O_S_P_A_M_cox.net> wrote in message > > > > > > > > > > > > > news:4064E434.1B258495@N_O_S_P_A_M_cox.net... > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > > > > > > > > > > > I have a new/clean Win2K Advanced Server > installation > > > > with > > > > > > > IIS5. > > > > > > > > > > This > > > > > > > > > > > > > > machine is a standalone server, i.e., it is not a > > > member > > > > of a > > > > > > > > > > domain, > > > > > > > > > > > > > > and I've updated Win2K through SP4. > > > > > > > > > > > > > > > > > > > > > > > > > > > > The IIS5 website is configured for SSL with client > and > > > > server > > > > > > > > > > > > > > authentication, and that part is working. My > server > > > and > > > > > > > client > > > > > > > > > > certs > > > > > > > > > > > > > > are issued by a 3rd party CA, and all the client > certs > > > > do not > > > > > > > > have > > > > > > > > > > the > > > > > > > > > > > > > > CDP populated. > > > > > > > > > > > > > > > > > > > > > > > > > > > > For my testing earlier, my CA provided me with > several > > > > test > > > > > > > > CRLs, > > > > > > > > > > along > > > > > > > > > > > > > > with associated client certs, and I've been using > > > > CertMgr.exe > > > > > > > to > > > > > > > > > > import > > > > > > > > > > > > > > the test CRLs into the Intermediate Certification > > > > Authorities > > > > > > > > > (ICA) > > > > > > > > > > > > > > store during my testing. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > However, today I noticed that the test CRLs all > have a > > > > "Next > > > > > > > > > Update" > > > > > > > > > > > > > > date of 1/29/04, and since today is 3/26/04, I > can't > > > > > > > understand > > > > > > > > > how > > > > > > > > > > > > > > these CRLs could still be working. It seems like > they > > > > should > > > > > > > be > > > > > > > > > > > > > > considered invalid and that since IIS5 is calling > > > > CryptoAPI to > > > > > > > > do > > > > > > > > > > the > > > > > > > > > > > > > > CRL checking, that I should be getting some kind > of > > > > error? > > > > > > > > > > > > > > > > > > > > > > > > > > > > I've checked the system date on the server, and > it's > > > > > > > definitely > > > > > > > > > > correct > > > > > > > > > > > > > > (today's date), so I'm really puzzled. I really > have > > > > the > > > > > > > > > impression > > > > > > > > > > > > > > that CryptoAPI (and thus IIS5) would throw some > kind > > > of > > > > error > > > > > > > if > > > > > > > > > the > > > > > > > > > > CRL > > > > > > > > > > > > > > was not within the validity period. > > > > > > > > > > > > > > > > > > > > > > > > > > > > Can someone explain why these > out-of-validity-period > > > > CRLs > > > > > > > still > > > > > > > > > seem > > > > > > > > > > to > > > > > > > > > > > > > > work all right? > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > Jim > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
- Next message: Drew Cooper [MSFT]: "Re: DACL to readable name."
- Previous message: John Banes [MS]: "Re: Secure Storage"
- In reply to: Ohaya: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
