[gnutls-help] CRL revoked certs ignored

gnutls+etherape at kernelbug.org gnutls+etherape at kernelbug.org
Mon Apr 20 13:18:54 CEST 2015 

Hmm i see i didn't put the last working CRL generate command there, this is what i did yesterday,

certtool --generate-crl --load-ca-privkey=ca-key.pem \
         --load-ca-certificate=ca-cert.pem \
         --load-certificate lrc-ldap_client.gnutls.crt \
         --outfile=crl.pem

So lrc-ldap_client.gnutls.crt should be revoked, right?
I'm running the server now with verify-client (the same server command but extended with --verify-client-cert 

Client:
------
- Status: The certificate is trusted. 
- Successfully sent 0 certificate(s) to server.
- Description: (TLS1.2)-(ECDHE-RSA-SECP192R1)-(AES-128-GCM)
- Session ID: E3:9C:29:DA:E4:86:FC:74:6B:19:62:DF:25:BA:E6:53:DD:97:8A:98:8B:1B:40:9A:A0:AB:C7:01:A4:54:C8:BD
- Ephemeral EC Diffie-Hellman parameters
 - Using curve: SECP192R1
 - Curve size: 192 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA256
- Cipher: AES-128-GCM
- MAC: AEAD
- Compression: NULL
- Handshake was completed

Server:
------
Processed 1 CA certificate(s).
Processed 1 CRL(s).
Echo Server listening on IPv4 0.0.0.0 port 5556...done
Echo Server listening on IPv6 :: port 5556...done

* Accepted connection from IPv4 10.50.2.12 port 48559 on Mon Apr 20 13:06:31 2015
- Description: (TLS1.2)-(ECDHE-RSA-SECP192R1)-(AES-128-GCM)
- Session ID: 13:74:51:E3:69:B6:CB:02:07:38:A1:A8:40:42:00:70:BF:A4:98:C4:BC:D7:FE:F8:D4:7E:B0:86:A7:8F:ED:23
- Given server name[1]: lrc-ldap
No certificates found!
- Ephemeral EC Diffie-Hellman parameters
 - Using curve: SECP192R1
 - Curve size: 192 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA256
- Cipher: AES-128-GCM
- MAC: AEAD
- Compression: NULL
- Channel binding 'tls-unique': 17480355da49f20e21775f7c


It's interesting that the server now says 'No certificates found!' i don't know if this has something to do with the revocation.
But still i'm able to write data to the server which is received.

client:
- Simple Client Mode:

asd
asd

Server:
*** Processing 4 bytes command: asd


Regards,
Etherape


On Mon, Apr 20, 2015 at 12:40:57PM +0200, Nikos Mavrogiannopoulos wrote:
> On Sun, Apr 19, 2015 at 11:38 AM, Victorian Spirit
> <gnutls+etherape at kernelbug.org> wrote:
> > Dear all,
> > I'm trying to get slapd (compiled against libgnutls) working with CRL checking.
> > So i created a CRL via certtool based on a cert i want to revoke.
> > In slapd i used 'TLSCRLFile' this seems to be ignored.
> > The client certificate is revoked and the CRL is verified with success,
> > certtool --generate-crl --load-ca-privkey=ca-key.pem --load-ca-certificate=ca-cert.pem --outfile=crl.pem
> 
> This command generates an empty CRL. What is the output of crl-info?
> For an example to generate a CRL using certtool see "Certificate
> revocation list generation" in
> http://www.gnutls.org/manual/html_node/certtool-Invocation.html
> 
> > gnutls-serv --x509keyfile=clients/lrc-ldap.key \
> >            --x509certfile=clients/lrc-ldap.crt \
> >           --x509crlfile=crl.pem \
> >            --x509cafile=ca-cert.pem --echo
> 
> This command does not verify the client certificate. To enable client
> certificate verification use "-r" or --verify-client-cert.
> 
> regards,
> Nikos
> 
> _______________________________________________
> Gnutls-help mailing list
> Gnutls-help at lists.gnutls.org
> http://lists.gnupg.org/mailman/listinfo/gnutls-help

More information about the Gnutls-help mailing list