Hi
A cautious handling of heatbleed included renewing private keys and certificates. But that is of no interest if the possibly compromised certificate is not revoked, or if revokation is not enforced.
I therefore tried CRL in OpenLDAP (linked with OpenSSL). I first started with client settings, in ~/.ldaprc:
BASE dc=example,dc=net URI ldaps://ldap.example.net TLS_CACERT /etc/openssl/certs/ca.crt TLS_REQCERT demand TLS_CACERTDIR /home/manu/openssl/ca TLS_CRLCHECK all
As suggested in the man page, I added a copy of /etc/openssl/certs/ca.crt in /home/manu/openssl/ca and tried a ldapsearch on the server. It fails, and with debug output I have:
TLS certificate verification: Error, unable to get certificate CRL TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get certificate CRL). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
kernel trace show that before the error message, it attemps to open /home/manu/openssl/ca/0726b466.r0
If I rename the CA to that name, it will read it, then fail on:
TLS certificate verification: Error, unable to get certificate CRL TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:0906D06C:PEM routines:PEM_read_bio:no start line.
That suggests the man page is wrong and it is not expecting a CA there. If I remove the CA from /home/manu/openssl/ca/ and copy the CRL in /home/manu/openssl/ca/0726b466.r0, it reads it without a complain, then tries to read /home/manu/openssl/ca/0726b466.r1 and fail there.
If I copy /home/manu/openssl/ca/0726b466.r0 to /home/manu/openssl/ca/0726b466.r1, the message suggests that it is indeed trying to load the CRL from that file: TLS: can't connect: error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert already in hash table.
I have a few questions before I start to read the code, just in case it is a known issue:
Why the cryptic file names? And why do I need a second 0726b466.r1 file? Using TLS_CRLCHECK peer instead of TLS_CRLCHECK all does not change the behavior.
And is OpenSSL CRL supposed to work? This is OpenLDAP 2.4.33