Educating yourself does not mean that you were stupid in the first place; it means that you are intelligent enough to know that there is plenty left to 'learn'. -Melanie Joy

Friday, 23 June 2017

OpenLDAP - How to enable CRL check for LDAP TLS connections?

June 23, 2017 Posted by Dinesh , , , , , ,
Refer the old post to understand more about certificate chain verification and CRL.

Here we will see how to establish a secure connection using OpenLDAP. OpenLDAP provides set of "set" options through which we can enable the CRL check, supply required certificates and we can set the verify call back. Using this verify call back we can control OpenLDAP behavior on each certificate verification.

Below example is a typical client process which is providing CA certificate and during TLS connection server will be sending the EE (along with intermediate certificates) to form a complete chain. During the connection negotiation, these certificates are validated.

Once the CRL check is enabled, during certificate verification, OpenSSL calls default call back which has the default implementation of breaking the verification once the error occurred.

Here in the below example, we are registering LDAP call back, using this we will get access to SSL store objects and we can set the SSL call back. In the SSL verify call back we will ignore some set of errors like  X509_V_ERR_UNABLE_TO_GET_CRL", "X509_V_ERR_CRL_HAS_EXPIRED", "X509_V_ERR_CRL_NOT_YET_VALID"  and proceed with the connection.




Tuesday, 23 May 2017

OpenSSL - How to verify certificate chain with CRL?

May 23, 2017 Posted by Dinesh , , ,
When any certificate is issued, it has a validity period which is defined by the Certification Authority. Usually, this is one or two years.

However, sometimes certificates should not be honored even during their validity period. For example, if the private key associated with a certificate is lost or exposed, then any authentication using that certificate should be denied.

That's where CRL comes into the picture. A CRL is a Certificate Revocation List which contains the list of certificates revoked by the authority.
These CRLs are usually stored in a centralized locations called CRL Distribution Point. This distribution point URI/URL will be made available in the certificate extensions by the authority.

Now let's say we have certificate chain like rca->ica->ee and CRL issued by rca and ica, How can we verify the certificate chain?

Command line:

openssl verify -crl_check -verbose -CAfile <(cat rca.pem ica.pem crl_rca.pem crl_ica.pem) ee.pem

C++ way:
Here is the sample class called CertificateStore which is used to verify the certificate chain with CRL.
This class creates a global store and a store context (ctx). All the required flags and the directory paths are set to the global store and certificate chain verify happens through store ctx.

This store ctx can be used only once to verify the certificate chain. If you want to verify new chain, new store ctx has to be created but this new store ctx can be initialized from the global store using which it can inherit the properties of the global store.

We can add certificates and CRLs to the store individually using X509_STORE_add_cer/X509_STORE_add_crl methods or we can use the directory lookup using the X509_LOOKUP_add_dir method.

If you are using hash directory lookup, OpenSSL computes the hash of the issuer and searches for the file with the name which matches <hash>.rN.
More details in https://www.openssl.org/docs/man1.1.0/crypto/X509_LOOKUP_file.html