SSL mode with Intermediate Certificate Authorities and CRLS seems broken

Andrew's PostgreSQL blog

Wednesday, December 19. 2012

SSL mode with Intermediate Certificate Authorities and CRLS seems broken

Here's a problem I and some others have been wrestling with. The problem was presented by a PostgreSQL Experts client. If you want to play along, here are the test files I have been using. Included is a root Certificate Authority certificate, an Intermedfiate Certificate Authority certificate signed by the root CA, a server certificate and key and two client certificates and associated keys, and a revocation certificate which revokes the second client certificate. The server certificate, client certificates and revocation certificate are all signed by the Intermediate CA. The client certificates are for a user named "andrew" :-)

Our test platform is PostgreSQL 9.1 built with openssl, and a config setting of 'ssl = on', a user and database both named "andrew" and the following pg_hba.conf line:
hostssl   all  all 127.0.0.1/32 cert
All the binaries are under $INSTALL and so is the data directory.

To install the server certificates (but not the CRL just yet) we do:
cat root.crt > $INSTALL/data/root.crt
cat server.crt ra.crt > $INSTALL/data/server.crt
cat server.key > $INSTALL/data/server.key
$INSTALL/bin/pg_ctl -D $INSTALL/data -l $INSTALL/logfile -w start
Next we test both client certificates are working:
$ $INSTALL/bin/psql 'host=localhost sslmode=verify-ca sslcert=client.crt sslkey=client.key sslrootcert=root.crt'
psql (9.1.3)
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.

andrew=# \q
$ $INSTALL/bin/psql 'host=localhost sslmode=verify-ca sslcert=client2.crt sslkey=client2.key sslrootcert=root.crt'
psql (9.1.3)
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.

andrew=# \q
$
So far, so good. Now let's install the revocation certificate
cat cli2.crl > $INSTALL/data/root.crl
$INSTALL/bin/pg_ctl -D $INSTALL/data -l $INSTALL/logfile -w restart
Is the revocation effective?
$ $INSTALL/bin/psql 'host=localhost sslmode=verify-ca sslcert=client2.crt sslkey=client2.key sslrootcert=root.crt'
psql: SSL error: sslv3 alert certificate revoked
$
Yes, it sure is. So let's make sure we can still use the unrevoked certificate:
$ $INSTALL/bin/psql 'host=localhost sslmode=verify-ca sslcert=client.crt sslkey=client.key sslrootcert=root.crt'
psql: SSL error: tlsv1 alert unknown ca
$
Oops! That's not supposed to happen!

Anyone who can shed some light on what's going on here would earn at least some gratitude from me. I don't think I'm doing anything wrong, but I could certainly be missing something. This looks like a nasty bug, but I'm not sure if it's a bug in Postgres or in OpenSSL.


Posted by Andrew Dunstan in PostgreSQL at 21:13 | Comments (8) | Trackbacks (0)

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

Andrew,<br />
<br />
I am unable to download the testcerts archive. It returns a 'The requested URL /andrew/uploads/testcerts.tgz was not found on this server.<br />
<br />
Robert

#1 R Morgan on 2012-12-19 23:46 (Reply)

Apologies. Serendipity is a major nuisance. Try the url that's there now - it should work.

#1.1 Andrew Dunstan on 2012-12-20 00:05 (Reply)

Andrew,<br />
<br />
Have you tried concatenating the root crt and the crl together as well as providing the lone crl file?<br />
<br />
I seemed to remember reading something very similiar quite some time ago where that was required but not obvious.<br />
<br />
Robert

#1.1.1 R Morgan on 2012-12-20 01:02 (Reply)

Andrew,<br />
<br />
Also, you can try adding the root.crt last to the server.crt (server.crt + ra.crt).<br />
<br />
Robert

#1.1.2 R Morgan on 2012-12-20 01:20 (Reply)

Yes, I've tried every combination I can think of. The reason I provided the certificates is so you can try things too, instead of just asking me to.

#1.1.2.1 Anonymous on 2012-12-20 01:41 (Reply)

I apologize Andrew. At the time, I was not at a machine I could troubleshoot from. I was just going through my memory of similiar OpenSSL issues I had encountered in the past.<br />
<br />
Robert

#1.1.2.1.1 R Morgan on 2012-12-20 17:54 (Reply)

No problem. And we now have a solution <img src="/andrew/templates/default/img/emoticons/smile.png" alt=":-)" style="display: inline; vertical-align: bottom;" class="emoticon" /> (needed the CRL file to contain a CRL for the root CA).

#1.1.2.1.1.1 Andrew Dunstan on 2012-12-20 18:07 (Reply)

Usually when CRL verification is turned on it means that you need to have a valid CRL for all the CA's in the cert chain. Can you generate the CRL for the root CA and append it to the crl file? I believe that this CRL is needed even if no certificate is revoked by the root CA.<br />
<br />
Radu

#2 Radu Radutiu on 2012-12-20 10:18 (Reply)

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
Wiki format allowed
 
 

My Links etc

PostgreSQL Home
Planet.PostgreSQL.org
PostgreSQL Experts Inc.
Dunslane Consulting, LLC

My Github Page
My BitBucket Page
My public gists

Non-Tech Rants and Raves

Blog Administration

Open login screen

Calendar

Back June '13
Mon Tue Wed Thu Fri Sat Sun
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30

Quicksearch

Archives

Categories



All categories

Syndicate This Blog

Powered by

Serendipity PHP Weblog