|
Home > Archive > IIS Server Security > March 2004 > Re: Problem with IIS5 - "expired" CRLs not working?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Re: Problem with IIS5 - "expired" CRLs not working?
|
|
| Ohaya 2004-03-27, 11:35 am |
| David,
Thank goodness you're still here!!
I'll check on CAPIMON and with the registry thing you pointed to, but FYI,
I'm starting to come to the conclusion that this (and another problem) are
Win2K AS-related (vs. Win2K3). Let me try to explain...
Late last year, when I first started testing, I started with a Win2K3
installation. During that time, I began keeping a project notebook, where I
commented on my test results (including a lot of the conversations I had
here and on the inetserver.iis.security NG). According to my notes at that
time, I confirmed that Win2K3/IIS6 did a couple of things (that were good,
security-wise):
- It obeyed the CRL validity period (Next Update date, etc.), and
- If no CRL was in the ICA store (deleted from store using CertMgr.exe and
confirmed using the MMC Certificates snap-in), IIS6 would not allow
connections at all for the website.
As I continued testing, I eventually got a Win2K AS CD from my company,
since what we were actually going to stand up were Win2K AS machines.
From my notes from that time, it appears that I did not go back and check
those 2 behaviors that I mentioned above related to CRL processing.
I really should have noticed at least the first problem, a LONG time ago,
since the Next Update date on the test CRLs that I got was January 29, 2004,
but very stupidly on my part, I didn't  ...
In other words, we're using these same test CRLs in a couple of different
test labs (all running Win2K Server or Advanced Server), and they're ALL
still working, and I didn't even think about it. Darn!!!
Just recently, I started putting together a "Lessons Learned" document for
my company, and actually for our partner community, and in beginning to do
that, I started going back through my notes and trying to reproduce the
results that I had documented in my notes.
And, that's when I started finding these differences/problems.
I am going to have to try to recreate my earlier Win2K3 environment, but
I've already created a clean install of Win2K AS (SP4), and with the Win2K
AS, it is definitely working with the expired CRLs, and IIS5 definitely is
not shutting down websites that are SSL (client) secured when I delete the
CRL from the ICA store.
Once I get some time to rebuild a Win2K3 environment, I'll try this again,
but unless my (voluminous) notes are completely whacked, I think that I'm
going to find that Win2K3 does obey the CRL expiration date and does lock
down the SSL (client) secured websites when I delete the CRL from the ICA
store.
Our policy and standard maintenance practices do call for ensuring that the
CRLs are both populated and updated, so hopefully this won't be a problem,
but if things turn out the way I'm alluding to above, these 2 problems seem
like a kind of major problem in Win2K AS/IIS5?
Will post back, but probably not immediately...
Jim
"David Cross [MS]" <dcross@online.microsoft.com> wrote in message
news:u18e3pAFEHA.3096@TK2MSFTNGP11.phx.gbl...
> As an additional troubleshooting step, you can use CAPIMON to debug
exactly
> what IIS is doing and what information is being returned by CryptoAPI
> through CAPIMON:
>
>
http://www.microsoft.com/downloads/...displaylang=en.
>
> --
>
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> http://support.microsoft.com
>
> "Ohaya" <ohaya@N_O_S_P_A_M_cox.net> wrote in message
> news:4064E434.1B258495@N_O_S_P_A_M_cox.net...
>
>
| |
|
| Hi,
I just got done installing Windows 2003 (took me 3 tries ), and IIS6,
and in this clean, "out-of-the-box" configuration, I tested, and,
indeed, it appears that:
1) Win2K3 *DOES* obey the validity period in the CRLs (whereas Windows
2000 AS apparently does not).
2) Win2K3 *DOES* lock down the website if NO CRL is in the ICA store
(again my client certs don't have CDP populated).
As with the earlier clean-install Win2K AS, this Win2K3 install was as a
standalone server (no AD and no Certificate Services).
Re. #2 above, I need to add that initially, obviously, there was not a
CRL stored in the ICA, and in this initial configuration, IIS6 did allow
connections.
I then did testing using CertMgr to add a CRL (to test the validity
period checking), and after that, I deleted the CRL from the ICA.
After I deleted the CRL from the ICA, IIS6 would not allow connections.
Jim
Ohaya wrote:[color=darkred]
>
> David,
>
> Thank goodness you're still here!!
>
> I'll check on CAPIMON and with the registry thing you pointed to, but FYI,
> I'm starting to come to the conclusion that this (and another problem) are
> Win2K AS-related (vs. Win2K3). Let me try to explain...
>
> Late last year, when I first started testing, I started with a Win2K3
> installation. During that time, I began keeping a project notebook, where I
> commented on my test results (including a lot of the conversations I had
> here and on the inetserver.iis.security NG). According to my notes at that
> time, I confirmed that Win2K3/IIS6 did a couple of things (that were good,
> security-wise):
>
> - It obeyed the CRL validity period (Next Update date, etc.), and
> - If no CRL was in the ICA store (deleted from store using CertMgr.exe and
> confirmed using the MMC Certificates snap-in), IIS6 would not allow
> connections at all for the website.
>
> As I continued testing, I eventually got a Win2K AS CD from my company,
> since what we were actually going to stand up were Win2K AS machines.
>
> From my notes from that time, it appears that I did not go back and check
> those 2 behaviors that I mentioned above related to CRL processing.
>
> I really should have noticed at least the first problem, a LONG time ago,
> since the Next Update date on the test CRLs that I got was January 29, 2004,
> but very stupidly on my part, I didn't ...
>
> In other words, we're using these same test CRLs in a couple of different
> test labs (all running Win2K Server or Advanced Server), and they're ALL
> still working, and I didn't even think about it. Darn!!!
>
> Just recently, I started putting together a "Lessons Learned" document for
> my company, and actually for our partner community, and in beginning to do
> that, I started going back through my notes and trying to reproduce the
> results that I had documented in my notes.
>
> And, that's when I started finding these differences/problems.
>
> I am going to have to try to recreate my earlier Win2K3 environment, but
> I've already created a clean install of Win2K AS (SP4), and with the Win2K
> AS, it is definitely working with the expired CRLs, and IIS5 definitely is
> not shutting down websites that are SSL (client) secured when I delete the
> CRL from the ICA store.
>
> Once I get some time to rebuild a Win2K3 environment, I'll try this again,
> but unless my (voluminous) notes are completely whacked, I think that I'm
> going to find that Win2K3 does obey the CRL expiration date and does lock
> down the SSL (client) secured websites when I delete the CRL from the ICA
> store.
>
> Our policy and standard maintenance practices do call for ensuring that the
> CRLs are both populated and updated, so hopefully this won't be a problem,
> but if things turn out the way I'm alluding to above, these 2 problems seem
> like a kind of major problem in Win2K AS/IIS5?
>
> Will post back, but probably not immediately...
>
> Jim
>
> "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> news:u18e3pAFEHA.3096@TK2MSFTNGP11.phx.gbl...
> exactly
> http://www.microsoft.com/downloads/...displaylang=en.
> rights.
| |
|
| David,
Prior to doing the clean Win2K3 installation, I had imaged the clean
Win2K AS installation so that I could relatively easily switch back and
forth between Win2K AS and Win2K3.
I've been doing further testing, and, at this point, I can confirm that
on Win2K Advanced Server (SP4), the validity period of CRLs is being
ignored. More specifically, what I have been able to test is that even
when the "Next Update" date on CRLs has passed, IIS5 is still processing
connection requests normally.
I would guess that this is probably a problem with CryptoAPI, i.e., it's
not just IIS5 users that would be affected.
Assuming that my testing thus far holds, is there some mechanism for
letting Microsoft aware of this?
As I mentioned earlier, under normal operational procedures, this
problem hopefully won't be a problem, but, if for some reason, there
happens to be a situation where a CRL doesn't get updated on a timely
basis, this then becomes a real security vulnerability IMHO.
Jim
Ohaya wrote:[color=darkred]
>
> Hi,
>
> I just got done installing Windows 2003 (took me 3 tries ), and IIS6,
> and in this clean, "out-of-the-box" configuration, I tested, and,
> indeed, it appears that:
>
> 1) Win2K3 *DOES* obey the validity period in the CRLs (whereas Windows
> 2000 AS apparently does not).
>
> 2) Win2K3 *DOES* lock down the website if NO CRL is in the ICA store
> (again my client certs don't have CDP populated).
>
> As with the earlier clean-install Win2K AS, this Win2K3 install was as a
> standalone server (no AD and no Certificate Services).
>
> Re. #2 above, I need to add that initially, obviously, there was not a
> CRL stored in the ICA, and in this initial configuration, IIS6 did allow
> connections.
>
> I then did testing using CertMgr to add a CRL (to test the validity
> period checking), and after that, I deleted the CRL from the ICA.
>
> After I deleted the CRL from the ICA, IIS6 would not allow connections.
>
> Jim
>
> Ohaya wrote:
| |
|
| Hi,
Since the last post below, I've been continuing to try all manner of
things to try to get Windows 2000 AS to actually "care" about the
validity period of the CRL in the ICA, but unfortunately, have failed.
It appears that Win2K AS simply doesn't check the validity period of the
CRL.
I have tried setting a number of the Metabase parameters, and was
especially hopeful with CertCheckMode, because the descriptions on MS'
website and that SSLDiag displays actually SAY that under certain
settings (e.g., CertCheckMode=2), revocation checking will FAIL if the
CRL is expired.
But, this has all been for nought. Nada. Nothing.
Sorry to be so verbal, but this is getting frustrating!!
FYI, I've revisited our operational procedures. Originally, the way the
procedures were written, they were mainly geared towards insuring and
verifying that our CRL retrievals were occurring successfully. This was
because the assumption was that IIS would actually obey the CRL validity
period.
But, if IIS does NOT obey the CRL validity period, then I fear that our
procedures will need to be extended to not only verifying that our CRL
retrieval process was successful, but we'll also have to actually check
each CRL to make sure that the CRLs are not stale. This is because if
we cannot depend on IIS to check the CRL validity period, and if one of
our CAs just happens not to update their CRL, even if we successfully
retrieve the CRL, we could end up with a stale CRL, and IIS would just
continue to merrily allow connections from clients.
So, I'd really like to request that anyone from Microsoft who is
monitoring these newsgroups to please review this problem/issue and to
please respond so that I can determine what I need to do.
Jim
Ohaya wrote:[color=darkred]
>
> David,
>
> Prior to doing the clean Win2K3 installation, I had imaged the clean
> Win2K AS installation so that I could relatively easily switch back and
> forth between Win2K AS and Win2K3.
>
> I've been doing further testing, and, at this point, I can confirm that
> on Win2K Advanced Server (SP4), the validity period of CRLs is being
> ignored. More specifically, what I have been able to test is that even
> when the "Next Update" date on CRLs has passed, IIS5 is still processing
> connection requests normally.
>
> I would guess that this is probably a problem with CryptoAPI, i.e., it's
> not just IIS5 users that would be affected.
>
> Assuming that my testing thus far holds, is there some mechanism for
> letting Microsoft aware of this?
>
> As I mentioned earlier, under normal operational procedures, this
> problem hopefully won't be a problem, but, if for some reason, there
> happens to be a situation where a CRL doesn't get updated on a timely
> basis, this then becomes a real security vulnerability IMHO.
>
> Jim
>
> Ohaya wrote:
| |
| David Cross [MS] 2004-03-29, 9:49 am |
| This may be a nuance with IIS 5.0, but many applications treat no CDP in
certs as an indicator that revocation does not need to be checked.
Windows Server 2003 CryptoAPI is a little smarter in that even if the
application allows the "no check" status to be interpreted as "OK",
CryptoAPI can return a "bad" status if it finds a CRL in the CA store.
As per your reply:
(again my client certs don't have CDP populated).
--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
http://support.microsoft.com
"Ohaya" <ohaya@cox.net> wrote in message news:4065F9AB.8B3395C1@cox.net...[color=darkred]
> Hi,
>
> I just got done installing Windows 2003 (took me 3 tries ), and IIS6,
> and in this clean, "out-of-the-box" configuration, I tested, and,
> indeed, it appears that:
>
> 1) Win2K3 *DOES* obey the validity period in the CRLs (whereas Windows
> 2000 AS apparently does not).
>
> 2) Win2K3 *DOES* lock down the website if NO CRL is in the ICA store
> (again my client certs don't have CDP populated).
>
> As with the earlier clean-install Win2K AS, this Win2K3 install was as a
> standalone server (no AD and no Certificate Services).
>
> Re. #2 above, I need to add that initially, obviously, there was not a
> CRL stored in the ICA, and in this initial configuration, IIS6 did allow
> connections.
>
> I then did testing using CertMgr to add a CRL (to test the validity
> period checking), and after that, I deleted the CRL from the ICA.
>
> After I deleted the CRL from the ICA, IIS6 would not allow connections.
>
> Jim
>
>
>
> Ohaya wrote:
FYI,[color=darkred]
are[color=darkred]
where I[color=darkred]
that[color=darkred]
good,[color=darkred]
and[color=darkred]
check[color=darkred]
ago,[color=darkred]
2004,[color=darkred]
different[color=darkred]
for[color=darkred]
do[color=darkred]
Win2K[color=darkred]
is[color=darkred]
the[color=darkred]
again,[color=darkred]
I'm[color=darkred]
lock[color=darkred]
ICA[color=darkred]
the[color=darkred]
problem,[color=darkred]
seem[color=darkred]
http://www.microsoft.com/downloads/...displaylang=en.[color=darkred]
This[color=darkred]
domain,[color=darkred]
certs[color=darkred]
the[color=darkred]
along[color=darkred]
import[color=darkred]
the[color=darkred]
correct[color=darkred]
CRL[color=darkred]
to[color=darkred]
| |
| David Cross [MS] 2004-03-29, 9:49 am |
| I need to know if your certs actually contain a CDP extension or not. based
on my previous reply, this may be the problem and difference between win2k
and 2003.
--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
http://support.microsoft.com
"Ohaya" <ohaya@cox.net> wrote in message news:40672ECA.40A8B8A5@cox.net...[color=darkred]
> Hi,
>
> Since the last post below, I've been continuing to try all manner of
> things to try to get Windows 2000 AS to actually "care" about the
> validity period of the CRL in the ICA, but unfortunately, have failed.
>
> It appears that Win2K AS simply doesn't check the validity period of the
> CRL.
>
> I have tried setting a number of the Metabase parameters, and was
> especially hopeful with CertCheckMode, because the descriptions on MS'
> website and that SSLDiag displays actually SAY that under certain
> settings (e.g., CertCheckMode=2), revocation checking will FAIL if the
> CRL is expired.
>
> But, this has all been for nought. Nada. Nothing.
>
> Sorry to be so verbal, but this is getting frustrating!!
>
> FYI, I've revisited our operational procedures. Originally, the way the
> procedures were written, they were mainly geared towards insuring and
> verifying that our CRL retrievals were occurring successfully. This was
> because the assumption was that IIS would actually obey the CRL validity
> period.
>
> But, if IIS does NOT obey the CRL validity period, then I fear that our
> procedures will need to be extended to not only verifying that our CRL
> retrieval process was successful, but we'll also have to actually check
> each CRL to make sure that the CRLs are not stale. This is because if
> we cannot depend on IIS to check the CRL validity period, and if one of
> our CAs just happens not to update their CRL, even if we successfully
> retrieve the CRL, we could end up with a stale CRL, and IIS would just
> continue to merrily allow connections from clients.
>
> So, I'd really like to request that anyone from Microsoft who is
> monitoring these newsgroups to please review this problem/issue and to
> please respond so that I can determine what I need to do.
>
> Jim
>
>
>
> Ohaya wrote:
IIS6,[color=darkred]
a[color=darkred]
allow[color=darkred]
connections.[color=darkred]
but FYI,[color=darkred]
problem) are[color=darkred]
Win2K3[color=darkred]
where I[color=darkred]
had[color=darkred]
at that[color=darkred]
good,[color=darkred]
CertMgr.exe and[color=darkred]
company,[color=darkred]
machines.[color=darkred]
check[color=darkred]
ago,[color=darkred]
29, 2004,[color=darkred]
different[color=darkred]
ALL[color=darkred]
document for[color=darkred]
to do[color=darkred]
the[color=darkred]
but[color=darkred]
Win2K[color=darkred]
definitely is[color=darkred]
delete the[color=darkred]
again,[color=darkred]
that I'm[color=darkred]
lock[color=darkred]
the ICA[color=darkred]
that the[color=darkred]
problem,[color=darkred]
problems seem[color=darkred]
debug[color=darkred]
CryptoAPI[color=darkred]
http://www.microsoft.com/downloads/...displaylang=en.[color=darkred]
no[color=darkred]
This[color=darkred]
domain,[color=darkred]
certs[color=darkred]
have the[color=darkred]
CRLs, along[color=darkred]
import[color=darkred]
(ICA)[color=darkred]
Update"[color=darkred]
how[color=darkred]
do the[color=darkred]
correct[color=darkred]
impression[color=darkred]
the CRL[color=darkred]
seem to[color=darkred]
| |
|
| David,
Just to be clear, with our config, with Win2K/IIS5, revocation checking IS
occurring. I can revoke a cert, import the new CRL into the ICA, and voila,
connecting using the revoked cert will fail with 403.13.
Revocation checking, per se, is NOT the problem.
The problem is that when the CRL in the ICA is expired, things keep on
working just as if the CRL was not expired.
Jim
"David Cross [MS]" <dcross@online.microsoft.com> wrote in message
news:ePPgdUZFEHA.3096@TK2MSFTNGP11.phx.gbl...
> This may be a nuance with IIS 5.0, but many applications treat no CDP in
> certs as an indicator that revocation does not need to be checked.
>
> Windows Server 2003 CryptoAPI is a little smarter in that even if the
> application allows the "no check" status to be interpreted as "OK",
> CryptoAPI can return a "bad" status if it finds a CRL in the CA store.
>
> As per your reply:
>
> (again my client certs don't have CDP populated).
>
> --
>
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> http://support.microsoft.com
>
> "Ohaya" <ohaya@cox.net> wrote in message news:4065F9AB.8B3395C1@cox.net...
> FYI,
> are
> where I
had[color=darkred]
> that
> good,
> and
company,[color=darkred]
> check
> ago,
> 2004,
> different
ALL[color=darkred]
> for
to[color=darkred]
> do
the[color=darkred]
but[color=darkred]
> Win2K
definitely[color=darkred]
> is
> the
> again,
> I'm
> lock
> ICA
that[color=darkred]
> the
> problem,
> seem
CryptoAPI[color=darkred]
>
http://www.microsoft.com/downloads/...displaylang=en.
> This
> domain,
> certs
> the
> along
> import
(ICA)[color=darkred]
Update"[color=darkred]
how[color=darkred]
> the
> correct
impression[color=darkred]
the[color=darkred]
> CRL
seem[color=darkred]
> to
>
>
| |
|
| David,
Question (serious, not intended to be sarcastic in any way): Should I
interpret your response below (i.e., that if client certs don't have
CDP, that the intended behavior of IIS5 is that it will not check
whether CRLs are expired or not while it does certificate revocation
checking) as Microsoft's position on this?
I am asking because I need to know if this is the case, or whether there
is any hope (e.g., possibly with some combination of metabase and
registry entries that I haven't tried yet) of getting IIS5 to behave in
such a way that, when client certs don't contain a CDP, that IIS5 checks
the CRL validity period when it does certificate revocation checking.
Thanks,
Jim
"David Cross [MS]" wrote:[color=darkred]
>
> This may be a nuance with IIS 5.0, but many applications treat no CDP in
> certs as an indicator that revocation does not need to be checked.
>
> Windows Server 2003 CryptoAPI is a little smarter in that even if the
> application allows the "no check" status to be interpreted as "OK",
> CryptoAPI can return a "bad" status if it finds a CRL in the CA store.
>
> As per your reply:
>
> (again my client certs don't have CDP populated).
>
> --
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> http://support.microsoft.com
>
> "Ohaya" <ohaya@cox.net> wrote in message news:4065F9AB.8B3395C1@cox.net...
> FYI,
> are
> where I
> that
> good,
> and
> check
> ago,
> 2004,
> different
> for
> do
> Win2K
> is
> the
> again,
> I'm
> lock
> ICA
> the
> problem,
> seem
> http://www.microsoft.com/downloads/...displaylang=en.
> This
> domain,
> certs
> the
> along
> import
> the
> correct
> CRL
> to
|
|
|
|
|