Topic
3 replies Latest Post - ‏2012-03-30T11:59:35Z by SystemAdmin
robin_kaiser_dsv
robin_kaiser_dsv
2 Posts
ACCEPTED ANSWER

Pinned topic CRL Checking with multiple CDPs in X509 certificate extension

‏2012-03-29T12:36:33Z |
Hi there,

does anybody knows how IHS handles multiple CDPs in the URIDistributionPoint X509 extension of the client certificate ?
We have client Client Authentication enabled with CRL checking in httpd.conf:

SSLClientAuth required crl

Furthermore there is configured SSLCRLHostname for "backwards compatibility":

SSLCRLHostname LDAPhostname.company.de
SSLCRLPort 389
SSLCRLUserID anonymous
SSLStashfile /prod/IBMIHS_.../conf/usercrl.sth

I do not exactly understand why, but may be there are some older client certificates in the field, that do not have a CDP extension in it.

The newer client certificates have a URIDistributionPoint X509 extension that looks like this (sorry some german words):
One LDAP ressource, one HTTP ressource:

[1]Sperrlisten-Verteilungspunkt
Name des Verteilungspunktes:
Vollst. Name:
URL=ldap://LDAPhostname.company.de/CN=...,O=...GmbH,L=Stuttgart,ST=Baden-Wuerttemberg%20(BW),C=DE?certificateRevocationList;binary
URL=http://HTTPHostname.company.de/CRLPATH/LatestCRL.crl

The LDAP hostname in the certificate extension is the same as configured in httpd.conf SSLCRLHostname.

Normally this is working fine, but we had multiple failures of the non IBM LDAP ressource in the last months. So we expected the IHS to contact the http ressource as a kind of backup, if LDAP was not reachable.
Obviously this did not happen, and login to the application failed, because CRL checking was not possible.

But why there was no connection to the given HTTP server to check the crl after LDAP failed ?

Does anybody can explain this behaviour ?
How should it to be due to IBMs specifications. I did not find any documentation about this ?
Is there a possibility to configure IHS to follow multiple CDPs before failing ?

Thanks for any help.
Updated on 2012-03-30T11:59:35Z at 2012-03-30T11:59:35Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    3908 Posts
    ACCEPTED ANSWER

    Re: CRL Checking with multiple CDPs in X509 certificate extension

    ‏2012-03-29T15:05:27Z  in response to robin_kaiser_dsv
    Yes -- The LDAP stuff is even more legacy than CRL in general and used to be the only source of CRL info. Current CRL support is still tied to enabling the explicit LDAP stuff.

    Have you reviewed the summary of the processing here?

    http://publib.boulder.ibm.com/httpserv/ihsdiag/gather_crl_doc.html
  • robin_kaiser_dsv
    robin_kaiser_dsv
    2 Posts
    ACCEPTED ANSWER

    Re: CRL Checking with multiple CDPs in X509 certificate extension

    ‏2012-03-30T11:10:12Z  in response to robin_kaiser_dsv
    Hi Eric,
    thanks for your reply.
    Yes I already read the document you mentioned.

    What I found there is:

    ... (For GSKit 7.0.3.31 and later, file:// and http:// CDP's are also followed)

    But there is no comment on what happens if there are two different CDPs in X509 cert extension.

    In our case, IHS only follows the LDAP ressource, not the HTTP ressource which are both given in the cert extension.
    After IHS was not able to contact the LDAP ressource, because of the LDAP server beeing temporarily offline, we had expected, that the HTTP ressource will be contacted by IHS in terms of a redundancy configuration. This did not happen.

    Thanks.
    • SystemAdmin
      SystemAdmin
      3908 Posts
      ACCEPTED ANSWER

      Re: CRL Checking with multiple CDPs in X509 certificate extension

      ‏2012-03-30T11:59:35Z  in response to robin_kaiser_dsv
      Can't mock this up, can you get a GSKit trace (preferrably at 7.0.4.35 or 8.0.x) and attach it along with the certificate and chain? I can then take this to the GSKit team to confirm it's expected.

      Should be able to compress a trace of a single request and attach it, otherwise you can email to ecovener@us.ibm.com.