Re: Detailed description of Crypto API changes in MS04-011 available??

From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 08/03/04


Date: Tue, 3 Aug 2004 05:13:44 -0700

We are working on an updated version of this paper which will include all
the MS04-011 updates, but unfortunately it is not yet ready.

http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx

-- 
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
http://support.microsoft.com
"Christian Swoboda" <e9025902@stud2.tuwien.ac.at> wrote in message
news:53682b9d.0408030215.4e364a44@posting.google.com...
> Hi there!
>
> I know it seems a bit late ;-) but since I'm writing a paper about
> "Web Authentication with Client Certificates" and my company uses
> this authentication since 2001 I would like to know if there's
> a detailed description of Crypto API changes which came with
> the patch MS04-011 (especially the changes related to clients
> certificates and CRL checking).
>
> We are using Windows 2000 Server with the latest SPs and patches
> (also since 2001) and IIS 5 (obviously ;-)
>
> Here are a few things I found out so far:
>
> - Before this patch client certificates with a (specific) faulty CDP
>   were NOT seen as revoked from IIS 5 !! This lead to the effect, that
>   before the patch these certificates were accepted by IIS and after
>   the patch they were rejected (even ones NOT on the CRL!)
>   [e.g. If the only CDP entry is LDAP but the Address is missing, the
>         CRL was not checked]
>
> - The CRL-cache directory for IIS has changed from
>   "C:\Documents and Settings\Default User\Local Settings\
>      Temporary Internet Files"
>   to
>   "C:\Documents and Settings\Default User\Application Data\
>      Microsoft\CryptNetUrlCache"
>
>   You can verify this easily with the "certutil"-Utility which came
>   with Windows Server 2003 (that's how I found out about it):
>
>    certutil -v -urlcache CRL
>
>   BTW: Here's "How to use the Windows Server 2003 version of the
>        Certutil.exe program on a Windows XP or a Windows 2000-based
>        computer"   http://support.microsoft.com/?id=836427
>
> - On one test server the "CertCheckMode" IIS MetaBase setting did not
>   turn off CRL checking when set to 1 (could be a faulty metabase, though)
>
>
> Some other hints about changes can be found here:
>
> Errors with client certificates occur after you install the MS04-011
> security update on an IIS 5.0 computer
> http://support.microsoft.com/?id=841642
>
> IIS returns a "403.13 Client Certificate Revoked" error message after
> you install MS04-011 because of Wininet proxy settings
> http://support.microsoft.com/?id=841641
>
> You receive a "403.13 client certificate revoked" error message after
> you install the MS04-11 security update
> http://support.microsoft.com/?id=841632
>
>
> Maybe this not only leads to a response from Microsoft people, but it
> also helps one or two guys out there scratching their heads right now ...
>
> cheers
>   Chris


Relevant Pages

  • A Simple question (I think!) re. IIS CRL Handling...
    ... past the "Next Update" date+time in the CRL: ... Will IIS consider this CRL "invalid"? ... Does IIS then consider all client certificates issued by this same CA ... if the IIS/system time/date is beyond the "Next Update" date/time plus ...
    (microsoft.public.inetserver.iis.security)
  • Detailed description of Crypto API changes in MS04-011 available??
    ... - Before this patch client certificates with a faulty CDP ... were NOT seen as revoked from IIS 5!! ... the patch they were rejected (even ones NOT on the CRL!) ...
    (microsoft.public.platformsdk.security)
  • Re: PKI Problem
    ... checkboxes (e.g., Basic Authentication, etc.) at the bottom of the same ... You might try installing SSLDiag, then configure the website for "require ... However, whenever I set that option, IIS will freeze whenever ... If I set it to "Ignore Client Certificates" ...
    (microsoft.public.inetserver.iis.security)
  • Sergio & David: Just a couple more questions about CRLs
    ... they may decide to issue client certificates with CDPs. ... The web system that we are setting up will not have Active Directory, ... we would need to update our systems' CRL from the received update CRL. ... Certificate Server installed, ...
    (microsoft.public.platformsdk.security)
  • Re: Sergio & David: Just a couple more questions about CRLs
    ... The CRL may be sitting around in the local file cache. ... they may decide to issue client certificates with CDPs. ... > The web system that we are setting up will not have Active Directory, ... > Certificate Server installed, ...
    (microsoft.public.platformsdk.security)