Bug 35748 – Keep CRL up to date

Bug 35748 - Keep CRL up to date


Summary:	Keep CRL up to date

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	SSL
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 enhancement (vote)
Target Milestone:	UCS 4.1-2-errata
Assigned To:	Philipp Hahn
QA Contact:	Janek Walkenhorst

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2014-08-29 10:05 CEST by Janis Meybohm
Modified:	2016-07-21 15:16 CEST (History)
CC List:	4 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Janis Meybohm

2014-08-29 10:05:13 CEST

The nextUpdate field within ucsCA CRL is, by default, set to "now + 30 days" when a certificate is revoked. If those 30 days pass without a new revocation the CRL is outdated services that verify the CRL fail.

We should update the CRL when it is outdated like:

--
#!/bin/bash

nextUpdate="$(openssl crl -in /etc/univention/ssl/ucsCA/crl/crl.pem -noout -nextupdate | sed -ne 's/nextUpdate=//p')"

if [ $(date -u -d "$nextUpdate" '+%s') -lt $(date -u '+%s') ]; then
    openssl ca \
      -config /etc/univention/ssl/openssl.cnf \
      -gencrl -out /etc/univention/ssl/ucsCA/crl/crl.pem \
      -passin file:/etc/univention/ssl/password

    openssl crl \
      -in /etc/univention/ssl/ucsCA/crl/crl.pem \
      -out /etc/univention/ssl/ucsCA/crl/ucsCA.crl \
      -inform pem -outform der

    cp /etc/univention/ssl/ucsCA/crl/ucsCA.crl /var/www/
fi
--

We could for example define @reboot cronjob or init script that defines a AT-job that updates the CRL at $nextUpdate (and afterwards defines a new AT-job at the new $nextUpdate, respectively updates the AT-job if $nextUpdate has changed in between).

Comment 1 Michael Grandjean

2014-11-07 21:12:54 CET

FYI: The certificate Baseline Requirements of the CA/Browser Forum define:

> the CA SHALL update and reissue CRLs at least once every seven days,
> and the value of the "nextUpdate" field MUST NOT be more than ten days 
> beyond the value of the "thisUpdate" field

https://cabforum.org/baseline-requirements-documents/

Comment 2 Michael Grandjean

2016-01-12 09:40:47 CET

2015111221000416

Comment 3 Michael Grandjean

2016-02-17 12:46:06 CET

Just for completeness: if someone is using the script from comment #0 and wants to reduce the value of "nextUpdate", the script can be extended with the "-crldays" option:

--
#!/bin/bash

nextUpdate="$(openssl crl -in /etc/univention/ssl/ucsCA/crl/crl.pem -noout -nextupdate | sed -ne 's/nextUpdate=//p')"

if [ $(date -u -d "$nextUpdate" '+%s') -lt $(date -u '+%s') ]; then
    openssl ca \
      -config /etc/univention/ssl/openssl.cnf \
      -gencrl -out /etc/univention/ssl/ucsCA/crl/crl.pem \
      -crldays 7 \
      -passin file:/etc/univention/ssl/password

    openssl crl \
      -in /etc/univention/ssl/ucsCA/crl/crl.pem \
      -out /etc/univention/ssl/ucsCA/crl/ucsCA.crl \
      -inform pem -outform der

    cp /etc/univention/ssl/ucsCA/crl/ucsCA.crl /var/www/
fi
--

Nevertheless, the value for crldays/nextUpdate should be configurable via UCR.

Comment 4 Philipp Hahn

2016-06-23 14:13:15 CEST

r70576 | Bug #35748 ssl: Re-generate CRL periodically

Package: univention-ssl
Version: 10.0.0-12.169.201606231402
Branch: ucs_4.1-0
Scope: errata4.1-2

r70577 | Bug #31369,Bug #39257,Bug #24094,Bug #40498,Bug #25285,Bug #35748: ssl YAML
 univention-ssl.yaml

Comment 5 Janek Walkenhorst

2016-07-14 18:38:08 CEST

Code review: OK
Tests: OK
Advisory: OK

Comment 6 Janek Walkenhorst

2016-07-21 15:16:05 CEST

<http://errata.software-univention.de/ucs/4.1/213.html>