|
osdir.com mailing list archive |
|
Subject: RE: Does Pound support CRL checking? - msg#00018List: web.pound.generalHere's what I did to add CRL support - please see the attached patch for pound.c (v1.8). I've checked this on valid and revoked certificates and it works fine. But I should stress I'm not a security or OpenSSL expert, and can't say there are not holes in this approach (but I believe the theory is good :) ). I've also posted the details to the OpenSSL mailing list, and no one has come shouting about security flaws (but that could be because they can't see the context in which the patch was applied). But if you are going to use this in a production environment, you'd want someone with a bigger brain to verify I've not introduced any vulnerabilities... Damien -----Original Message----- From: Robert Segall [mailto:roseg-Ws3YcLWMCps@xxxxxxxxxxxxxxxx] Sent: 01 March 2005 18:37 To: pound-Ws3YcLWMCps@xxxxxxxxxxxxxxxx Subject: Re: Does Pound support CRL checking? On Saturday 26 February 2005 15:28, Damien Dougan wrote: > Hi All, > > I've successfully got Pound to terminate with my SSL client (both client > and server certificates). > > However, I have a second certificate which I have revoked (and openssl > correctly confirms is revoked when I verify it), but Pound always allows > the client to connect. > > (This is with openssl-0.9.7e and Pound 1.8) > > Does Pound support Certificate Revocation Lists? Does it expect the > openssl response to verify the certificate request against the CRL, or > does it perform it itself? > > Thanks, > > Damien Not for the moment - though code to check CRL's in some way would be welcome. -- Robert Segall Apsis GmbH Postfach, Uetikon am See, CH-8707 Tel: +41-44-920 4904
Thread at a glance:
Previous Message by Date: click to view message previewGet me off this group now!-----Original Message----- From: Jesse Flavell Sent: Wednesday, 2 March 2005 8:59 AM To: 'Robert Segall'; pound-Ws3YcLWMCps@xxxxxxxxxxxxxxxx Subject: RE: logging Importance: High Get me off this group -----Original Message----- From: Robert Segall [mailto:roseg-Ws3YcLWMCps@xxxxxxxxxxxxxxxx] Sent: Wednesday, 2 March 2005 5:35 AM To: pound-Ws3YcLWMCps@xxxxxxxxxxxxxxxx Subject: Re: logging On Monday 28 February 2005 16:52, MW Mike Weiner (5028) wrote: > Is it possible to make pound log its output to say /var/log/pound.log? > > rather than SYSLOG ? I have looked through the Makefile, configure, > and config.log and am unsure what i need to modify to get that to > work. You ask this on the wrong forum. Pound sends its log messages to syslog, which in turn writes them to some file. You need to configure syslog so it will log your messages to the file you want. How you do that depends on the version of syslog you use. Pound only allows you to configure which syslog facility it will use. This is a compile-time switch. -- Robert Segall Apsis GmbH Postfach, Uetikon am See, CH-8707 Tel: +41-44-920 4904 Next Message by Date: click to view message previewReturned mail: Data format errorThis is a message from the MailScanner E-Mail Virus Protection Service ---------------------------------------------------------------------- The original e-mail message contained potentially dangerous content, which has been removed for your safety. The content is dangerous as it is often used to spread viruses or to gain personal or confidential information from you, such as passwords or credit card numbers. If you wish to receive a copy of the original email, please e-mail helpdesk and include the whole of this message in your request. Alternatively, you can call them, with the contents of this message to hand when you call. At Wed Mar 2 14:08:32 2005 the content filters said: MailScanner: Message contained archive nested too deeply Note to Help Desk: Look on the Gmane MailScanner in /var/spool/MailScanner/quarantine/20050302 (message 1D6TZ8-0004u1-Ri). -- Postmaster Gmane gmane.org MailScanner thanks transtec Computers for their support Previous Message by Thread: click to view message previewRe: Does Pound support CRL checking?On Saturday 26 February 2005 15:28, Damien Dougan wrote: > Hi All, > > I've successfully got Pound to terminate with my SSL client (both client > and server certificates). > > However, I have a second certificate which I have revoked (and openssl > correctly confirms is revoked when I verify it), but Pound always allows > the client to connect. > > (This is with openssl-0.9.7e and Pound 1.8) > > Does Pound support Certificate Revocation Lists? Does it expect the > openssl response to verify the certificate request against the CRL, or > does it perform it itself? > > Thanks, > > Damien Not for the moment - though code to check CRL's in some way would be welcome. -- Robert Segall Apsis GmbH Postfach, Uetikon am See, CH-8707 Tel: +41-44-920 4904 Next Message by Thread: click to view message previewRe: Does Pound support CRL checking?On Wednesday 02 March 2005 10:41, Damien Dougan wrote: > Robert, > > Here's what I did to add CRL support - please see the attached patch for > pound.c (v1.8). > > I've checked this on valid and revoked certificates and it works fine. > But I should stress I'm not a security or OpenSSL expert, and can't say > there are not holes in this approach (but I believe the theory is good > > :) ). > > I've also posted the details to the OpenSSL mailing list, and no one has > come shouting about security flaws (but that could be because they can't > see the context in which the patch was applied). > > But if you are going to use this in a production environment, you'd want > someone with a bigger brain to verify I've not introduced any > vulnerabilities... Thanks for the patch - please see the 1.8.2 release which incorporates the idea. For everybody using this, please note that you are responsible for updating the CRL from known-good sources (the OpenSSL documentation - such as it is - suggests once a week), and that this may cause problems if you run a chrooted Pound. A compromise of the CRL directory may lead to a DoS attack... -- Robert Segall Apsis GmbH Postfach, Uetikon am See, CH-8707 Tel: +41-44-920 4904 Loading Comments...
|
|
