Re: Detailed description of Crypto API changes in MS04-011 available??
From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: Tue, 3 Aug 2004 05:13:44 -0700
We are working on an updated version of this paper which will include all
the MS04-011 updates, but unfortunately it is not yet ready.
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. http://support.microsoft.com "Christian Swoboda" <email@example.com> wrote in message news:firstname.lastname@example.org... > Hi there! > > I know it seems a bit late ;-) but since I'm writing a paper about > "Web Authentication with Client Certificates" and my company uses > this authentication since 2001 I would like to know if there's > a detailed description of Crypto API changes which came with > the patch MS04-011 (especially the changes related to clients > certificates and CRL checking). > > We are using Windows 2000 Server with the latest SPs and patches > (also since 2001) and IIS 5 (obviously ;-) > > Here are a few things I found out so far: > > - Before this patch client certificates with a (specific) faulty CDP > were NOT seen as revoked from IIS 5 !! This lead to the effect, that > before the patch these certificates were accepted by IIS and after > the patch they were rejected (even ones NOT on the CRL!) > [e.g. If the only CDP entry is LDAP but the Address is missing, the > CRL was not checked] > > - The CRL-cache directory for IIS has changed from > "C:\Documents and Settings\Default User\Local Settings\ > Temporary Internet Files" > to > "C:\Documents and Settings\Default User\Application Data\ > Microsoft\CryptNetUrlCache" > > You can verify this easily with the "certutil"-Utility which came > with Windows Server 2003 (that's how I found out about it): > > certutil -v -urlcache CRL > > BTW: Here's "How to use the Windows Server 2003 version of the > Certutil.exe program on a Windows XP or a Windows 2000-based > computer" http://support.microsoft.com/?id=836427 > > - On one test server the "CertCheckMode" IIS MetaBase setting did not > turn off CRL checking when set to 1 (could be a faulty metabase, though) > > > Some other hints about changes can be found here: > > Errors with client certificates occur after you install the MS04-011 > security update on an IIS 5.0 computer > http://support.microsoft.com/?id=841642 > > IIS returns a "403.13 Client Certificate Revoked" error message after > you install MS04-011 because of Wininet proxy settings > http://support.microsoft.com/?id=841641 > > You receive a "403.13 client certificate revoked" error message after > you install the MS04-11 security update > http://support.microsoft.com/?id=841632 > > > Maybe this not only leads to a response from Microsoft people, but it > also helps one or two guys out there scratching their heads right now ... > > cheers > Chris