Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Client certificate revocation is not working

49 views
Skip to first unread message

Yuriy

unread,
Oct 1, 2012, 6:49:06 PM10/1/12
to

Hello colleagues!

I need help with revocation of client certificate in OpenSSL (v 0.9.8n).
I have setup a CA with self-signed certificate so I can generate and sign client certificates which are used to access squid, which in turn forwards traffic to exchange server.
In squid.conf file there is this line which is responsible for asking client certificate:

##
clientca=/root/sslCA/cacert.pem capath=/root/sslCA
##

/root/sslCA/cacert.pem is CA certificate.

I also created a crl.pem in /root/sslCA/crls/ for certificate revocation.

The situation is as follows:

If a client connects without having a client certificate installed it gets error (Error code: ssl_error_handshake_failure_alert), and no connection is established.
If the certificate generated with OpenSSL CA is installed on the client then it can connect to the server.
So far so good.

Now I want to disallow one client to connect to the server.

I revoke the certificate:
# openssl ca -revoke username.crt
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /root/sslCA/private/cakey.pem:
Revoking Certificate 1003.
Data Base Updated

Update crl:
# openssl ca -gencrl -out /root/sslCA/crls/crl.pem
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for /root/sslCA/private/cakey.pem:


I check to see if the certificate is revoked:
# openssl crl -in /root/sslCA/crls/crl.pem -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: xxxxxx
        Issuer: xxxxxx
        Last Update: Oct  1 22:04:24 2012 GMT
        Next Update: Sep 29 22:04:24 2022 GMT
        CRL extensions:
            X509v3 CRL Number:
                4098
Revoked Certificates:
    Serial Number: 1003
        Revocation Date: Oct  1 22:02:32 2012 GMT


It shows that certificate 1003 is revoked.

Now I try to connect to the server with this client's certificate and the connection establishes just fine.. How is it possible???
I thought if you revoke a certificate it won't be accepted by CA anymore?? but in my case it is accepted even though CA shows certificate's status as revoked.
How can I prohibit/invalidate the certificate of the client so it cannot connect to the server anymore?

Thank you in advance for any helpful suggestions
Yuriy

KoloboK

unread,
Oct 1, 2012, 7:36:06 PM10/1/12
to

I managed to solve my problem.
I just needed to add path to crl file into my squid config
(crlfile=/root/sslCA/crls/crl.pem) and now when connecting with revoked
certificate I get a message that certificate was revoked and no connection
to backend server is established.

Yuriy
--
View this message in context: http://old.nabble.com/Client-certificate-revocation-is-not-working-tp34502546p34502681.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Sergey

unread,
Oct 1, 2012, 6:42:37 PM10/1/12
to
0 new messages