Thursday, July 9, 2015

Apache HTTPd SSL/OCSP primer

I just stumbled over some old howto I used for testing OSCP. Here I'm pasting it to hopefully help somebody understand how it works. It assumes you have already up and running Apache HTTPd web server.

Create needed certificates

Download this useful script:
https://git.fedorahosted.org/cgit/pkinit-nss.git/plain/doc/openssl/make-certs.sh
Use the script to generate certifictes:
./make-certs.sh europa.sfo.corp.google.com test@example.com all ocsp:http://europa.sfo.corp.google.com/
./make-certs.sh america.sfo.corp.google.com test@example.com all ocsp:http://europa.sfo.corp.google.com/

Prepare and start responder using openSSL

Create index.txt file which contains information about certificates the responder is handling.
File is plain text file with fields separated by TAB.
Here is example of structure:
V       100320100000Z           593C5290F246444B        unknown DC=com, DC=example/mail=test@example.com, CN=europa.sfo.corp.google.com
V                       B9290C71D224ACB3        unknown DC=com, DC=example, CN=Test Certifying CA
R       131021200751Z   100324142709Z,superseded        593C5290F246444C        unknown DC=com, DC=example/mail=test@example.com, CN=america.sfo.corp.google.com


The columns are defined as:
#define DB_type         0 /* Status of the certificate */
#define DB_exp_date     1 /* Expiry date */
#define DB_rev_date     2 /* Revocation date */
#define DB_serial       3       /* Serial No., index - unique */
#define DB_file         4      
#define DB_name         5       /* DN, index - unique when active and not disabled */

Notes:
- DB_type could be only V | R, E is not working
- date format is YYMMDDHHMMSSZ
- DB_serial has to be in HEX with upper case letters
- use example provided above, just don't forget to change serial numbers

Start responder using:
openssl ocsp -index index.txt -port 8088 -rsigner certs/ca.pem -CA certs/ca.pem -text

Check if responder is working fine using:
openssl ocsp -issuer certs/ca.pem -CAfile certs/ca.pem -url http://localhost:8088 -cert certs/europa.sfo.corp.google.com.pem
should return GOOD certificate status

openssl ocsp -issuer certs/ca.pem -CAfile certs/ca.pem -url http://localhost:8088 -cert certs/america.sfo.corp.google.com.pem
should return REVOKED ... reason: superseded

Modify $EWS_HOME/httpd/conf.d/ssl.conf:

- add this to the end of file:
#OCSP
SSLVerifyClient on
SSLVerifyDepth 10
SSLOCSPEnable on
SSLOCSPDefaultResponder 
http://localhost:8088/
SSLOCSPOverrideResponder on

- httpd has to ask for client certificate and enable OCSP and set default responder

- uncomment SSLCACertificateFile /etc/pki/tls/cert.pem line in the SSL configuration file and make sure your new CA is added to the cert.pem file
  or just point this to oscp/certs/ca.crt (generated in one of previous steps)

- copy some static content to $EWS_HOME/httpd/www/html/
  e.g. echo "OCSPTestSucceed" > $EWS_HOME/httpd/www/html/ocsp.txt

- start apache

Now try it out:

run:
wget --output-document=/dev/null --no-check-certificat --certificate=client_cert/america.sfo.corp.google.com.pem --ca-certificate=client_cert/ca.pem  https://<your server>/ocsp.txt
result:
Resolving <your server>... 10.34.34.43
Connecting to <your server>|10.34.34.43|:443... connected.
OpenSSL: error:14094414:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate revoked
Unable to establish SSL connection.

run:
wget --output-document=/dev/null --no-check-certificat --certificate=client_cert/europa.sfo.corp.google.com.pem --ca-certificate=client_cert/ca.pem  https://<your server>/ocsp.txt

result:
HTTP request sent, awaiting response... 200 OK

References

Attribution

Thanks to my colleague Rajesh for preparing initial info.

No comments:

Post a Comment