Bug 35748 - Keep CRL up to date
Keep CRL up to date
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SSL
UCS 4.1
Other Linux
: P5 enhancement (vote)
: UCS 4.1-2-errata
Assigned To: Philipp Hahn
Janek Walkenhorst
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-08-29 10:05 CEST by Janis Meybohm
Modified: 2016-07-21 15:16 CEST (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Janis Meybohm univentionstaff 2014-08-29 10:05:13 CEST
The nextUpdate field within ucsCA CRL is, by default, set to "now + 30 days" when a certificate is revoked. If those 30 days pass without a new revocation the CRL is outdated services that verify the CRL fail.

We should update the CRL when it is outdated like:

--
#!/bin/bash

nextUpdate="$(openssl crl -in /etc/univention/ssl/ucsCA/crl/crl.pem -noout -nextupdate | sed -ne 's/nextUpdate=//p')"

if [ $(date -u -d "$nextUpdate" '+%s') -lt $(date -u '+%s') ]; then
    openssl ca \
      -config /etc/univention/ssl/openssl.cnf \
      -gencrl -out /etc/univention/ssl/ucsCA/crl/crl.pem \
      -passin file:/etc/univention/ssl/password

    openssl crl \
      -in /etc/univention/ssl/ucsCA/crl/crl.pem \
      -out /etc/univention/ssl/ucsCA/crl/ucsCA.crl \
      -inform pem -outform der

    cp /etc/univention/ssl/ucsCA/crl/ucsCA.crl /var/www/
fi
--

We could for example define @reboot cronjob or init script that defines a AT-job that updates the CRL at $nextUpdate (and afterwards defines a new AT-job at the new $nextUpdate, respectively updates the AT-job if $nextUpdate has changed in between).
Comment 1 Michael Grandjean univentionstaff 2014-11-07 21:12:54 CET
FYI: The certificate Baseline Requirements of the CA/Browser Forum define:

> the CA SHALL update and reissue CRLs at least once every seven days,
> and the value of the "nextUpdate" field MUST NOT be more than ten days 
> beyond the value of the "thisUpdate" field

https://cabforum.org/baseline-requirements-documents/
Comment 2 Michael Grandjean univentionstaff 2016-01-12 09:40:47 CET
2015111221000416
Comment 3 Michael Grandjean univentionstaff 2016-02-17 12:46:06 CET
Just for completeness: if someone is using the script from comment #0 and wants to reduce the value of "nextUpdate", the script can be extended with the "-crldays" option:

--
#!/bin/bash

nextUpdate="$(openssl crl -in /etc/univention/ssl/ucsCA/crl/crl.pem -noout -nextupdate | sed -ne 's/nextUpdate=//p')"

if [ $(date -u -d "$nextUpdate" '+%s') -lt $(date -u '+%s') ]; then
    openssl ca \
      -config /etc/univention/ssl/openssl.cnf \
      -gencrl -out /etc/univention/ssl/ucsCA/crl/crl.pem \
      -crldays 7 \
      -passin file:/etc/univention/ssl/password

    openssl crl \
      -in /etc/univention/ssl/ucsCA/crl/crl.pem \
      -out /etc/univention/ssl/ucsCA/crl/ucsCA.crl \
      -inform pem -outform der

    cp /etc/univention/ssl/ucsCA/crl/ucsCA.crl /var/www/
fi
--

Nevertheless, the value for crldays/nextUpdate should be configurable via UCR.
Comment 4 Philipp Hahn univentionstaff 2016-06-23 14:13:15 CEST
r70576 | Bug #35748 ssl: Re-generate CRL periodically

Package: univention-ssl
Version: 10.0.0-12.169.201606231402
Branch: ucs_4.1-0
Scope: errata4.1-2

r70577 | Bug #31369,Bug #39257,Bug #24094,Bug #40498,Bug #25285,Bug #35748: ssl YAML
 univention-ssl.yaml
Comment 5 Janek Walkenhorst univentionstaff 2016-07-14 18:38:08 CEST
Code review: OK
Tests: OK
Advisory: OK
Comment 6 Janek Walkenhorst univentionstaff 2016-07-21 15:16:05 CEST
<http://errata.software-univention.de/ucs/4.1/213.html>