DevHeads.net

Is it possible to simulate mod_ssl crl checks by hand?

Hi,

Question: How do I craft an `openssl verify` command to test
validating the client's ssl cert in a way mimics what apache is
actually doing based on the configuration directives in use?

I have been looking through the source code, but its been over 25
years since I studied Kernighan and Ritche in college and I'm
struggling to follow it through.

My assumption has been that `SSLCARevocationCheck chain` is equivalent
to `openssl verify -crl_check_all` whereas `SSLCARevocationCheck leaf`
is equivalent to `openssl verify -crl_check`, but this seems to be
complicated by the SSLCARevocationPath directive, as there does not
seem to be an `openssl verify` analog for using a CRL path, only the
CA path, or CA file. If I concatenate the Trusted CA Certs with the
Trusted CA's CRLs, `openssl verify -crl_check_all -CAfile
<concatenated file>` verifies the client certificate, but that doesn't
follow the way that apache is configured.

The current relevant config looks like...

SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
SSLCARevocationCheck chain
SSLCARevocationPath "/etc/pki/tls/crls/"
SSLVerifyClient require
SSLVerifyDepth 9

Before stepping further, I have to correct CRLs and CA chains setup.
/etc/pki/tls/crls/ has the hash links to the downloaded CRLs for the
trusted CAs, the ca-bundle.crt is a symlink to what's been generated
by update-ca-trust with the trusted ca certs in
/etc/pki/ca-trust/source/anchors.

We are facing an issue where clients with SSL client certs from one
particular trusted authority are not being validated and mod_ssl is
throwing a "unable to get certificate CRL" error. What is strange is
that we are not getting this issue on client certs issued by other
trusted authorities.

Thanks for reading and any kind nudges in the right direction :)

--Sean