Open rlueckl opened 10 months ago
I would first check if this really makes sense. Why more then one issuer? Is there a use case? I didn't find any other examples...
But on the other end, the "s" at the end of "Issuers" seems to indicate that more then one should be possible
Just as info
Authority Information Access (AIA) is a special extension in SSL certificates that contains information about the issuer of the certificate. This extension helps fetch intermediate certificates from the issuing certification authority. In case if server does not provide intermediate certificates, they could be downloaded from the link contained in the AIA field. This approach allows saving the certificate chain and performing an SSL certificate check, even if the server incorrectly configured. If user's client supports AIA Fetching, then user does not even aware of server configuration errors.
Since I do not have host to test. Do you (@rlueckl) have a host I could use for debugging? You could send it to me privately and I would not disclose it.
I just had check_ssl_cert correctly return CRITICAL for a revoked certificate due to OCSP a few days ago, so I do think it works currently.
I just had check_ssl_cert correctly return CRITICAL for a revoked certificate due to OCSP a few days ago, so I do think it works currently.
I just checked, and it works (I deleted my earlier comments, as the implementation seems correct).
The OCSP client needs the intermediate certificate to perform the check. What should be done if multiple are specified and if one is not OK is not really clear to me.
The extension is there to permit a check even if the server does not deliver the intermediate certificate. On a first thought, it seems to me that an invalid intermediate certificate should not be accepted. On the other hand, since this attribute is there to help in case of a misconfigured server, I do not see a lot of problems by checking all of them.
Reference to check
Seems that multiple certifcates are possible:
An authorityInfoAccess extension may include multiple instances of the id-ad-caIssuers accessMethod. The different instances may specify different methods for accessing the same information or may point to different information. When the id-ad-caIssuers accessMethod is used, at least one instance SHOULD specify an accessLocation that is an HTTP [RFC2616] or LDAP [RFC4516] URI.
The AIA extensions are used to help in path building, by pointing to potential certificates for the issuer. Use of these certificate is not mandatory; mass deployment of intermediate CA certificates is a viable alternative (at least in organized networks which offer facilities for that, e.g. Active Directory servers).
In this case the issue is valid and is a bug
I'm not sure if I understand this ticket, but if this is about hiding server configuration issues by downloading intermediate certificates from AIA, I strongly disagree, as previously discussed:
https://github.com/matteocorti/check_ssl_cert/issues/366#issuecomment-1074138086
I'm not sure if I understand this ticket, but if this is about hiding server configuration issues by downloading intermediate certificates from AIA, I strongly disagree, as previously discussed:
I agree with you. I am not using the information from AIA to validate the chain. A missing intermediate certificate is an error.
According to the RFC the information in the AIA is there to perform the OCSP check.
I still have to check, but I could completely ignore the certificate specified with AIA and send the intermediate from the chain.
I need some time to perform some checks.
Sorry, this goes a little bit above my head. :smile:
As far as I understand https://datatracker.ietf.org/doc/html/rfc5280#section-5.2.7 multiple certificates are possible and can be used to validate the chain (as you already wrote). I think the intention of multiple entries was to have a fallback in case one URL isn't reachable.
According to the RFC the information in the AIA is there to perform the OCSP check.
I still have to check, but I could completely ignore the certificate specified with AIA and send the intermediate from the chain.
This would also work for us. Our servers offer the complete chain, no need to download the intermediate from the AIA.
Unfortunately I can't send you a host (even privately), because all the information is confidential. I can give you debug logs with the hostnames, filenames, etc. altered like in the initial message.
Sorry, this goes a little bit above my head. 😄
As far as I understand https://datatracker.ietf.org/doc/html/rfc5280#section-5.2.7 multiple certificates are possible and can be used to validate the chain (as you already wrote). I think the intention of multiple entries was to have a fallback in case one URL isn't reachable.
According to the RFC the information in the AIA is there to perform the OCSP check. I still have to check, but I could completely ignore the certificate specified with AIA and send the intermediate from the chain.
This would also work for us. Our servers offer the complete chain, no need to download the intermediate from the AIA.
Unfortunately I can't send you a host (even privately), because all the information is confidential. I can give you debug logs with the hostnames, filenames, etc. altered like in the initial message.
I'll have to craft a local test certificate then ...
maybe wrong to comment here, but I feel it's related.
if local CA root certificate is expired, the certificate chain validation doesn't happen at all and the check returns OK status. Should the test return CRIT if the local CA root cert is expired given it leverages it for these checks?
Is your feature request related to a problem? Please describe.
Similar to #258 could we also have a feature that the OCSP check loops over all "CA Issuers" found in the certificate? Currently it only looks at the first issuer and if that doesn't match the certificate, the OCSP validation fails.
Our internal CA writes 3 different issuers in the certificate (one old one and two new ones), but only one of them (the last one) matches the certificate.
Describe the solution you'd like
check_ssl_cert
should loop over all "CA Issuers" and only throw an error if the certificate can't be validated against any of them.Additional context
Certificate contains:
The certificate issuer is internalissuer_new_b.
check_ssl_cert
only looks at internalissuer_old. Debug log from testing:Testing manually: