After some many problems trying to use Apache and MOD_SSL and OCSP I began searching another solutions for setting up this server.
I’ve resumed those to some three free alternatives:
MOD_NSS http://directory.fedoraproject.org/wiki/Mod_nss
Webcullis http://pkif.sourceforge.net/webcullis.html
Pathfinder http://www.carillon.ca/tools/pathfinder.php
After some searching, MOD_NSS looked to me a bit, how can I say, stalled. Theres is not a lot of movement on its mailing lists, and theres not so many hits on MOD_NSS plus OCSP, or at last not as much compared do MOD_SSL and OCSP. If this is a bad thing or a good sign I dont know. Ive decided to test Webcullis first.
Gone to its Web page, the PKIF project and downloaded webcullis-2.1.11-RHEL5-gcc41-dist at the time of this writing
Uncompressed it at the ROOT directory and followed the INSTALL file step by step
(NOTE: Webcullis is expecting to find the CA Certificates on DER format so I’ve converted all the individual certificates that I have downloaded from the CA website to DER format using “openssl x509 -in certificate.crt -out certificate.cer -outform der)
mkdir -p /etc/webcullis/trustroots mkdir -p /var/log/webcullis mkdir -p /usr/local/webcullis/lib cd /root/webcullis-2.1.11-RHEL5-gcc41-dist cp lib/* /usr/local/webcullis/lib/ cp conf/* /etc/webcullis/ cd /etc/pki/tls/certs cp *.cer /etc/webcullis/trustroots/ add /usr/local/webcullis/lib to /etc/ld.so.conf.d/webcullis.conf ldconfig ln -s /usr/local/webcullis/lib/libmod_auth_webcullis.so /etc/httpd/modules ln -s /usr/local/webcullis/lib/libmod_auth_webcullis.so /etc/httpd/modules cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.original vi /etc/httpd/conf.d/ssl.conf LoadModule ssl_module modules/mod_ssl.so LoadModule auth_webcullis_module modules/libmod_auth_webcullis.so WebcullisIniFile "/etc/webcullis/webcullis.cf" Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin SSLOptions +StdEnvVars +ExportCertData SetHandler perl-script PerlResponseHandler ModPerl::Registry PerlOptions +ParseHeaders Options +ExecCGI ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel debug SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key SSLCARevocationFile /etc/httpd/conf/ssl.crl/LatestCRL.pem SSLVerifyClient webcullis SSLVerifyDepth 4 RewriteEngine on RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$ RewriteRule ^/ /index.html [L] RequestHeader set SSL_CLIENT_S_DN "" RequestHeader set SSL_CLIENT_I_DN "" RequestHeader set SSL_SERVER_S_DN_OU "" RequestHeader set SSL_CLIENT_VERIFY "" RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s" RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s" RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s" ProxyPass http://web.server.net/ ProxyPassReverse http://web.server.net/ SSLOptions +StdEnvVars SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
save the /etc/httpd/conf.d/ssl.conf file
cd /etc/httpd/modules cp mod_ssl.so mod_ssl.so.original cp /root/webcullis-2.1.11-RHEL5-gcc41-dist/mod_ssl.so .
bounce apache: /etc/init.d/httpd start
test and
SUCCESS! It works, first time. Impressive. Its really a joy seeing this working at last
Just to be sure, check what webcullis module is doing looking at the
/var/log/webcullis/module.log and var/log/webcullis/trace.log log files.
I see on the module.log I see among other messages:
+ Revocation status: NOT REVOKED + Revocation source #1 - Revocation source error code: 0 : Success - Revocation source type: 2 - Revocation source status: NOT_REVOKED - OCSP response information: + Response status: successful + Response type: 1.3.6.1.5.5.7.48.1.1 + Produced at: 20100720145931Z + Responder name: cn=Serviço de Validação on-line do Cartão de Cidadão 000020 - EC de Autenticação do Cidadão,ou=Serviços do Cartão de Cidadão,ou=Validação on-line,o=Cartão de Cidadão,c=PT + OCSP single response information: * This update: 20100720145931Z * Cert serial number: 0x5fd933e0f2f95d0f
Fantastic news! I am thrilled
Now, besides accessing a OCSP responder for validating in real-time a client certificate revogation state lets try to use a CRL list instead.
My Apache server will also need to accept certificates from another Certification Authotity, a CA that doesn’t have any OCSP service available. (In this case, its a CA where its OCSP service is not free)
So I will need to use Certification Revogation List instead.
But first I need to install the CA server certificates in Apache. As I couldn’t find them on the CA site Ive contacted them and they kindly mailed them to me
All the Server Certificate Chain was sent me in the a file with a p7b extension.
from the web
PKCS#7/P7B Format:
The PKCS#7 or P7B format is usually stored in Base64 ASCII format and has a file extention of .p7b or .p7c. P7B certificates contain “—–BEGIN PKCS7—–” and “—–END PKCS7—–” statements. A P7B file only contains certificates and chain certificates, not the private key. Several platforms support P7B files including Microsoft Windows and Java Tomcat.
I need to install this chain certificate on the Apache as individual DER certificates (Webcullis needs this way), so used this command line to convert it to a PEM chain first
openssl pkcs7 -in DigitalSignCP.p7b -inform DER -text -print_certs -out certs.pem
then edited the PEM file and saved each certificate data as an individual PEM file (using copy/paste)
then, for each of the three individual certificates created on the last step I’ve converted to the DER format:
openssl x509 -in BTClass2CA_G2.pem -out /etc/webcullis/trustroots/BTClass2CA_G2.cer -outform der openssl x509 -in BTDigitalSignQualifiedCA.pem -out /etc/webcullis/trustroots/BTDigitalSignQualifiedCA.cer -outform der openssl x509 -in VeriSignClass2PublicPrimaryCertificationAUthority_G3.pem -out /etc/webcullis/trustroots/VeriSignClass2PublicPrimaryCertificationAUthority.cer -outform der
That’s it. no need to mess with CRL files as Webcullis will do it for you (using AND updating? I’m not sure on this but so far I didn’t found any information confirming or not confirming this feature). Just configure some CRL parameters on the
/etc/webcullis/webcullis.cf
Its nice to have a working configuration, but I will not close this case right now. I will check now how hard and effective is the usage of MOD_NSS.
Leave a comment