Open GoogleCodeExporter opened 8 years ago
I would be happy to review and incorporate a code submission that included
changes along these lines. I do not plan to work on this any time soon myself,
primarily as I do not have the time and motivation to set up a proper SSL test
environment. (I don't use SSL with Munki in my own implementation)
I do plan to eventually remove the use of curl in Munki and replace it with NSURLConnection and friends.
Original comment by gregnea...@mac.com
on 10 Apr 2014 at 1:07
https://gist.github.com/gregneagle/7571880
Would be interested if this code properly handles revoked certs in your
testing. It did for me five months ago...
Original comment by gregnea...@mac.com
on 10 Apr 2014 at 5:40
[deleted comment]
Does not work in my case. Maybe it's because our CA only lists CRL URLs in the
certificate, no OCSP...
It does look like your code properly handles OCSP, at least with that VeriSign
test page: on port 443 it presents a valid certificate and on port 2443 it
presents a revoked one, both of which your code recognizes correctly.
However, I read somewhere that the Apple frameworks only do OCSP for EV
certificates. So that would be of limited use as well.
I'll see if I can get some example code together which uses curl's --crlfile
Original comment by michael....@gmail.com
on 10 Apr 2014 at 6:36
Once the curl dependency is removed from Munki, I'm not too keen on putting it
back for this.
And when would you do the revocation check? every single connection to the
Munki server? (That would be the only "correct" implementation, but at a
non-trivial cost)
Original comment by gregnea...@mac.com
on 10 Apr 2014 at 6:39
"However, I read somewhere that the Apple frameworks only do OCSP for EV
certificates. So that would be of limited use as well."
How does Safari behave in your test scenario?
Original comment by gregnea...@mac.com
on 10 Apr 2014 at 6:51
CRLs usually are not updated more often than once a day and they specify a
validity period of a week or so, so downloading the CRL daily would be
sufficient.
My certificate is definitely revoked, which I have verified by looking for the
serial number in the CRL and by using SSL Labs' SSL Server Test.
Safari does not check the CRL either. I actually have yet to find an up-to-date
web browser that correctly implements revocation checking... Chrome only checks
its internal list (called "CRLSets") and Firefox only does OCSP (while
considering the certificate as valid if it is unable to reach the OCSP server
-- making it useless against man-in-the-middle attacks using the compromised
private key if the attacker is also able to block access to the OCSP server).
https://developer.apple.com/library/ios/technotes/tn2232/_index.html says that
you can use SecPolicyCreateRevocation to specifically check for OCSP or CRL
revocation, but that appears to not be available before OS X 10.9.
The more I read about this certificate revocation stuff, the more I'm thinking
it's completely broken. Nobody checks CRLs anymore and OCSP is only checked by
some browsers. OCSP stapling would be a good and scalable solution, but it's
implemented almost nowhere. Not even all CAs include OCSP URLs in their
certificates.
Original comment by michael....@gmail.com
on 11 Apr 2014 at 7:09
Original issue reported on code.google.com by
michael....@gmail.com
on 10 Apr 2014 at 11:42