Re: Problem with IIS5 - "expired" CRLs not working?
From: Ohaya (Ohaya_at_NO_SPAM.cox.net)
Date: 03/30/04
- Next message: ajloren: "installing IIS 6.0 without Windows 2003 OS"
- Previous message: Sue: "IISState log help"
- In reply to: David Cross [MS]: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Next in thread: Ohaya: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Reply: Ohaya: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 30 Mar 2004 15:47:27 -0500
David,
I installed CAPIMON per your suggestion, last night, but I'm still trying to
figure out how to use it :). It looks like it installs some kind of "shim"
in front of the CryptoAPI? Sorry to ask, but what exactly do you suggest I
setup for the filters(?)? I'm trudging my way through the docs...
Jim
"David Cross [MS]" <dcross@online.microsoft.com> wrote in message
news:uOIs6xlFEHA.3252@TK2MSFTNGP11.phx.gbl...
> I am not an expert on IIS, but I would need some more information to help
> you troubleshoot the issue. Can you install CAPIMON and shim IIS5 and
> determine what error (or status) is being returned by CryptoAPI to IIS?
> That will help us determine if:
>
> 1) CryptoAPI is returning the right status to IIS
>
> 2) Is IIS determining the right action based on this status
>
>
>
http://www.microsoft.com/downloads/details.aspx?FamilyId=0BFE87A8-4E79-4441-9D4C-0CAB35D49A01&displaylang=en.
>
> --
>
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> http://support.microsoft.com
>
> "Ohaya" <Ohaya@NO_SPAM.cox.net> wrote in message
> news:ep4er1bFEHA.2308@tk2msftngp13.phx.gbl...
> > David,
> >
> > Just to be clear, with our config, with Win2K/IIS5, revocation checking
IS
> > occurring. I can revoke a cert, import the new CRL into the ICA, and
> voila,
> > connecting using the revoked cert will fail with 403.13.
> >
> > Revocation checking, per se, is NOT the problem.
> >
> > The problem is that when the CRL in the ICA is expired, things keep on
> > working just as if the CRL was not expired.
> >
> > Jim
> >
> >
> >
> > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> > news:ePPgdUZFEHA.3096@TK2MSFTNGP11.phx.gbl...
> > > This may be a nuance with IIS 5.0, but many applications treat no CDP
in
> > > certs as an indicator that revocation does not need to be checked.
> > >
> > > Windows Server 2003 CryptoAPI is a little smarter in that even if the
> > > application allows the "no check" status to be interpreted as "OK",
> > > CryptoAPI can return a "bad" status if it finds a CRL in the CA store.
> > >
> > > As per your reply:
> > >
> > > (again my client certs don't have CDP populated).
> > >
> > > --
> > >
> > >
> > > David B. Cross [MS]
> > >
> > > --
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > >
> > > http://support.microsoft.com
> > >
> > > "Ohaya" <ohaya@cox.net> wrote in message
> news:4065F9AB.8B3395C1@cox.net...
> > > > Hi,
> > > >
> > > > I just got done installing Windows 2003 (took me 3 tries :(), and
> IIS6,
> > > > and in this clean, "out-of-the-box" configuration, I tested, and,
> > > > indeed, it appears that:
> > > >
> > > > 1) Win2K3 *DOES* obey the validity period in the CRLs (whereas
Windows
> > > > 2000 AS apparently does not).
> > > >
> > > > 2) Win2K3 *DOES* lock down the website if NO CRL is in the ICA store
> > > > (again my client certs don't have CDP populated).
> > > >
> > > > As with the earlier clean-install Win2K AS, this Win2K3 install was
as
> a
> > > > standalone server (no AD and no Certificate Services).
> > > >
> > > > Re. #2 above, I need to add that initially, obviously, there was not
a
> > > > CRL stored in the ICA, and in this initial configuration, IIS6 did
> allow
> > > > connections.
> > > >
> > > > I then did testing using CertMgr to add a CRL (to test the validity
> > > > period checking), and after that, I deleted the CRL from the ICA.
> > > >
> > > > After I deleted the CRL from the ICA, IIS6 would not allow
> connections.
> > > >
> > > > Jim
> > > >
> > > >
> > > >
> > > > Ohaya wrote:
> > > > >
> > > > > David,
> > > > >
> > > > > Thank goodness you're still here!!
> > > > >
> > > > > I'll check on CAPIMON and with the registry thing you pointed to,
> but
> > > FYI,
> > > > > I'm starting to come to the conclusion that this (and another
> problem)
> > > are
> > > > > Win2K AS-related (vs. Win2K3). Let me try to explain...
> > > > >
> > > > > Late last year, when I first started testing, I started with a
> Win2K3
> > > > > installation. During that time, I began keeping a project
notebook,
> > > where I
> > > > > commented on my test results (including a lot of the conversations
I
> > had
> > > > > here and on the inetserver.iis.security NG). According to my
notes
> at
> > > that
> > > > > time, I confirmed that Win2K3/IIS6 did a couple of things (that
were
> > > good,
> > > > > security-wise):
> > > > >
> > > > > - It obeyed the CRL validity period (Next Update date, etc.), and
> > > > > - If no CRL was in the ICA store (deleted from store using
> CertMgr.exe
> > > and
> > > > > confirmed using the MMC Certificates snap-in), IIS6 would not
allow
> > > > > connections at all for the website.
> > > > >
> > > > > As I continued testing, I eventually got a Win2K AS CD from my
> > company,
> > > > > since what we were actually going to stand up were Win2K AS
> machines.
> > > > >
> > > > > From my notes from that time, it appears that I did not go back
and
> > > check
> > > > > those 2 behaviors that I mentioned above related to CRL
processing.
> > > > >
> > > > > I really should have noticed at least the first problem, a LONG
time
> > > ago,
> > > > > since the Next Update date on the test CRLs that I got was January
> 29,
> > > 2004,
> > > > > but very stupidly on my part, I didn't :(...
> > > > >
> > > > > In other words, we're using these same test CRLs in a couple of
> > > different
> > > > > test labs (all running Win2K Server or Advanced Server), and
they're
> > ALL
> > > > > still working, and I didn't even think about it. Darn!!!
> > > > >
> > > > > Just recently, I started putting together a "Lessons Learned"
> document
> > > for
> > > > > my company, and actually for our partner community, and in
beginning
> > to
> > > do
> > > > > that, I started going back through my notes and trying to
reproduce
> > the
> > > > > results that I had documented in my notes.
> > > > >
> > > > > And, that's when I started finding these differences/problems.
> > > > >
> > > > > I am going to have to try to recreate my earlier Win2K3
environment,
> > but
> > > > > I've already created a clean install of Win2K AS (SP4), and with
the
> > > Win2K
> > > > > AS, it is definitely working with the expired CRLs, and IIS5
> > definitely
> > > is
> > > > > not shutting down websites that are SSL (client) secured when I
> delete
> > > the
> > > > > CRL from the ICA store.
> > > > >
> > > > > Once I get some time to rebuild a Win2K3 environment, I'll try
this
> > > again,
> > > > > but unless my (voluminous) notes are completely whacked, I think
> that
> > > I'm
> > > > > going to find that Win2K3 does obey the CRL expiration date and
does
> > > lock
> > > > > down the SSL (client) secured websites when I delete the CRL from
> the
> > > ICA
> > > > > store.
> > > > >
> > > > > Our policy and standard maintenance practices do call for ensuring
> > that
> > > the
> > > > > CRLs are both populated and updated, so hopefully this won't be a
> > > problem,
> > > > > but if things turn out the way I'm alluding to above, these 2
> problems
> > > seem
> > > > > like a kind of major problem in Win2K AS/IIS5?
> > > > >
> > > > > Will post back, but probably not immediately...
> > > > >
> > > > > Jim
> > > > >
> > > > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> > > > > news:u18e3pAFEHA.3096@TK2MSFTNGP11.phx.gbl...
> > > > > > As an additional troubleshooting step, you can use CAPIMON to
> debug
> > > > > exactly
> > > > > > what IIS is doing and what information is being returned by
> > CryptoAPI
> > > > > > through CAPIMON:
> > > > > >
> > > > > >
> > > > >
> > >
> >
>
http://www.microsoft.com/downloads/details.aspx?FamilyId=0BFE87A8-4E79-4441-9D4C-0CAB35D49A01&displaylang=en.
> > > > > >
> > > > > > --
> > > > > >
> > > > > >
> > > > > > David B. Cross [MS]
> > > > > >
> > > > > > --
> > > > > > This posting is provided "AS IS" with no warranties, and confers
> no
> > > > > rights.
> > > > > >
> > > > > > http://support.microsoft.com
> > > > > >
> > > > > > "Ohaya" <ohaya@N_O_S_P_A_M_cox.net> wrote in message
> > > > > > news:4064E434.1B258495@N_O_S_P_A_M_cox.net...
> > > > > > > Hi,
> > > > > > >
> > > > > > > I have a new/clean Win2K Advanced Server installation with
IIS5.
> > > This
> > > > > > > machine is a standalone server, i.e., it is not a member of a
> > > domain,
> > > > > > > and I've updated Win2K through SP4.
> > > > > > >
> > > > > > > The IIS5 website is configured for SSL with client and server
> > > > > > > authentication, and that part is working. My server and
client
> > > certs
> > > > > > > are issued by a 3rd party CA, and all the client certs do not
> have
> > > the
> > > > > > > CDP populated.
> > > > > > >
> > > > > > > For my testing earlier, my CA provided me with several test
> CRLs,
> > > along
> > > > > > > with associated client certs, and I've been using CertMgr.exe
to
> > > import
> > > > > > > the test CRLs into the Intermediate Certification Authorities
> > (ICA)
> > > > > > > store during my testing.
> > > > > > >
> > > > > > >
> > > > > > > However, today I noticed that the test CRLs all have a "Next
> > Update"
> > > > > > > date of 1/29/04, and since today is 3/26/04, I can't
understand
> > how
> > > > > > > these CRLs could still be working. It seems like they should
be
> > > > > > > considered invalid and that since IIS5 is calling CryptoAPI to
> do
> > > the
> > > > > > > CRL checking, that I should be getting some kind of error?
> > > > > > >
> > > > > > > I've checked the system date on the server, and it's
definitely
> > > correct
> > > > > > > (today's date), so I'm really puzzled. I really have the
> > impression
> > > > > > > that CryptoAPI (and thus IIS5) would throw some kind of error
if
> > the
> > > CRL
> > > > > > > was not within the validity period.
> > > > > > >
> > > > > > > Can someone explain why these out-of-validity-period CRLs
still
> > seem
> > > to
> > > > > > > work all right?
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Jim
> > > > > >
> > > > > >
> > >
> > >
> >
> >
>
>
- Next message: ajloren: "installing IIS 6.0 without Windows 2003 OS"
- Previous message: Sue: "IISState log help"
- In reply to: David Cross [MS]: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Next in thread: Ohaya: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Reply: Ohaya: "Re: Problem with IIS5 - "expired" CRLs not working?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
