Part 5: MOD_SSL alternatives

After some many problems trying to use Apache and MOD_SSL and OCSP I began searching another solutions for setting up this server.
I’ve resumed those to some three free alternatives:

MOD_NSS http://directory.fedoraproject.org/wiki/Mod_nss
Webcullis http://pkif.sourceforge.net/webcullis.html
Pathfinder http://www.carillon.ca/tools/pathfinder.php

After some searching, MOD_NSS looked to me a bit, how can I say, stalled. Theres is not a lot of movement on its mailing lists, and theres not so many hits on MOD_NSS plus OCSP, or at last not as much compared do MOD_SSL and OCSP. If this is a bad thing or a good sign I dont know. Ive decided to test Webcullis first.

Gone to its Web page, the PKIF project and downloaded webcullis-2.1.11-RHEL5-gcc41-dist at the time of this writing
Uncompressed it at the ROOT directory and followed the INSTALL file step by step
(NOTE: Webcullis is expecting to find the CA Certificates on DER format so I’ve converted all the individual certificates that I have downloaded from the CA website to DER format using “openssl x509 -in certificate.crt -out certificate.cer -outform der)

mkdir -p /etc/webcullis/trustroots
mkdir -p /var/log/webcullis
mkdir -p /usr/local/webcullis/lib
cd /root/webcullis-2.1.11-RHEL5-gcc41-dist
cp lib/* /usr/local/webcullis/lib/
cp conf/* /etc/webcullis/
cd /etc/pki/tls/certs
cp *.cer /etc/webcullis/trustroots/
add /usr/local/webcullis/lib to /etc/ld.so.conf.d/webcullis.conf
ldconfig
ln -s /usr/local/webcullis/lib/libmod_auth_webcullis.so /etc/httpd/modules
ln -s /usr/local/webcullis/lib/libmod_auth_webcullis.so /etc/httpd/modules
cp /etc/httpd/conf.d/ssl.conf  /etc/httpd/conf.d/ssl.conf.original
vi /etc/httpd/conf.d/ssl.conf

LoadModule ssl_module modules/mod_ssl.so
LoadModule auth_webcullis_module modules/libmod_auth_webcullis.so
WebcullisIniFile "/etc/webcullis/webcullis.cf"

Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog  builtin

SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300

SSLMutex default

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin

        SSLOptions +StdEnvVars +ExportCertData

                SetHandler perl-script
                PerlResponseHandler ModPerl::Registry
                PerlOptions +ParseHeaders
                Options +ExecCGI        

        ErrorLog logs/ssl_error_log
        TransferLog logs/ssl_access_log
        LogLevel debug

        SSLEngine on

        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
        SSLCertificateFile /etc/pki/tls/certs/localhost.crt
        SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
        SSLCARevocationFile /etc/httpd/conf/ssl.crl/LatestCRL.pem
        SSLVerifyClient webcullis
        SSLVerifyDepth 4

        RewriteEngine on
        RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
        RewriteRule ^/ /index.html [L]

        RequestHeader set SSL_CLIENT_S_DN    ""
        RequestHeader set SSL_CLIENT_I_DN    ""
        RequestHeader set SSL_SERVER_S_DN_OU ""
        RequestHeader set SSL_CLIENT_VERIFY  ""

                RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
                RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
                RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
                RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"

                ProxyPass          http://web.server.net/
                ProxyPassReverse   http://web.server.net/

                SSLOptions +StdEnvVars
        SetEnvIf User-Agent ".*MSIE.*" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0

        CustomLog logs/ssl_request_log \
                "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

save the /etc/httpd/conf.d/ssl.conf file

cd /etc/httpd/modules
cp mod_ssl.so mod_ssl.so.original
cp /root/webcullis-2.1.11-RHEL5-gcc41-dist/mod_ssl.so .

bounce apache: /etc/init.d/httpd start
test and

SUCCESS! It works, first time. Impressive. Its really a joy seeing this working at last
Just to be sure, check what webcullis module is doing looking at the
/var/log/webcullis/module.log and var/log/webcullis/trace.log log files.

I see on the module.log I see among other messages:

+ Revocation status: NOT REVOKED
+ Revocation source #1
     - Revocation source error code: 0 : Success
     - Revocation source type: 2
     - Revocation source status: NOT_REVOKED
     - OCSP response information:
            + Response status: successful
            + Response type: 1.3.6.1.5.5.7.48.1.1
            + Produced at: 20100720145931Z
            + Responder name: cn=Serviço de Validação on-line do Cartão de Cidadão 000020 - EC de Autenticação do Cidadão,ou=Serviços do Cartão de Cidadão,ou=Validação on-line,o=Cartão de Cidadão,c=PT
            + OCSP single response information:
                    * This update: 20100720145931Z
                    * Cert serial number: 0x5fd933e0f2f95d0f

Fantastic news! I am thrilled

Now, besides accessing a OCSP responder for validating in real-time a client certificate revogation state lets try to use a CRL list instead.
My Apache server will also need to accept certificates from another Certification Authotity, a CA that doesn’t have any OCSP service available. (In this case, its a CA where its OCSP service is not free)
So I will need to use Certification Revogation List instead.
But first I need to install the CA server certificates in Apache. As I couldn’t find them on the CA site Ive contacted them and they kindly mailed them to me

All the Server Certificate Chain was sent me in the a file with a p7b extension.

from the web

PKCS#7/P7B Format:
The PKCS#7 or P7B format is usually stored in Base64 ASCII format and has a file extention of .p7b or .p7c. P7B certificates contain “—–BEGIN PKCS7—–” and “—–END PKCS7—–” statements. A P7B file only contains certificates and chain certificates, not the private key. Several platforms support P7B files including Microsoft Windows and Java Tomcat.

I need to install this chain certificate on the Apache as individual DER certificates (Webcullis needs this way), so used this command line to convert it to a PEM chain first

openssl pkcs7 -in DigitalSignCP.p7b -inform DER -text -print_certs -out certs.pem

then edited the PEM file and saved each certificate data as an individual PEM file (using copy/paste)
then, for each of the three individual certificates created on the last step I’ve converted to the DER format:

openssl x509 -in BTClass2CA_G2.pem -out /etc/webcullis/trustroots/BTClass2CA_G2.cer -outform der
openssl x509 -in BTDigitalSignQualifiedCA.pem -out /etc/webcullis/trustroots/BTDigitalSignQualifiedCA.cer -outform der
openssl x509 -in VeriSignClass2PublicPrimaryCertificationAUthority_G3.pem -out /etc/webcullis/trustroots/VeriSignClass2PublicPrimaryCertificationAUthority.cer -outform der

That’s it. no need to mess with CRL files as Webcullis will do it for you (using AND updating? I’m not sure on this but so far I didn’t found any information confirming or not confirming this feature). Just configure some CRL parameters on the
/etc/webcullis/webcullis.cf

Its nice to have a working configuration, but I will not close this case right now. I will check now how hard and effective is the usage of MOD_NSS.