Bug 35748
| Summary: | Keep CRL up to date | ||
|---|---|---|---|
| Product: | UCS | Reporter: | Janis Meybohm <meybohm> |
| Component: | SSL | Assignee: | Philipp Hahn <hahn> |
| Status: | CLOSED FIXED | QA Contact: | Janek Walkenhorst <walkenhorst> |
| Severity: | enhancement | ||
| Priority: | P5 | CC: | gohmann, grandjean, gulden, hahn |
| Version: | UCS 4.1 | ||
| Target Milestone: | UCS 4.1-2-errata | ||
| Hardware: | Other | ||
| OS: | Linux | ||
| What kind of report is it?: | --- | What type of bug is this?: | --- |
| Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
| User Pain: | Enterprise Customer affected?: | ||
| School Customer affected?: | ISV affected?: | ||
| Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
| Ticket number: | Bug group (optional): | ||
| Max CVSS v3 score: | |||
FYI: The certificate Baseline Requirements of the CA/Browser Forum define: > the CA SHALL update and reissue CRLs at least once every seven days, > and the value of the "nextUpdate" field MUST NOT be more than ten days > beyond the value of the "thisUpdate" field https://cabforum.org/baseline-requirements-documents/ 2015111221000416 Just for completeness: if someone is using the script from comment #0 and wants to reduce the value of "nextUpdate", the script can be extended with the "-crldays" option: -- #!/bin/bash nextUpdate="$(openssl crl -in /etc/univention/ssl/ucsCA/crl/crl.pem -noout -nextupdate | sed -ne 's/nextUpdate=//p')" if [ $(date -u -d "$nextUpdate" '+%s') -lt $(date -u '+%s') ]; then openssl ca \ -config /etc/univention/ssl/openssl.cnf \ -gencrl -out /etc/univention/ssl/ucsCA/crl/crl.pem \ -crldays 7 \ -passin file:/etc/univention/ssl/password openssl crl \ -in /etc/univention/ssl/ucsCA/crl/crl.pem \ -out /etc/univention/ssl/ucsCA/crl/ucsCA.crl \ -inform pem -outform der cp /etc/univention/ssl/ucsCA/crl/ucsCA.crl /var/www/ fi -- Nevertheless, the value for crldays/nextUpdate should be configurable via UCR. r70576 | Bug #35748 ssl: Re-generate CRL periodically Package: univention-ssl Version: 10.0.0-12.169.201606231402 Branch: ucs_4.1-0 Scope: errata4.1-2 r70577 | Bug #31369,Bug #39257,Bug #24094,Bug #40498,Bug #25285,Bug #35748: ssl YAML univention-ssl.yaml Code review: OK Tests: OK Advisory: OK |
The nextUpdate field within ucsCA CRL is, by default, set to "now + 30 days" when a certificate is revoked. If those 30 days pass without a new revocation the CRL is outdated services that verify the CRL fail. We should update the CRL when it is outdated like: -- #!/bin/bash nextUpdate="$(openssl crl -in /etc/univention/ssl/ucsCA/crl/crl.pem -noout -nextupdate | sed -ne 's/nextUpdate=//p')" if [ $(date -u -d "$nextUpdate" '+%s') -lt $(date -u '+%s') ]; then openssl ca \ -config /etc/univention/ssl/openssl.cnf \ -gencrl -out /etc/univention/ssl/ucsCA/crl/crl.pem \ -passin file:/etc/univention/ssl/password openssl crl \ -in /etc/univention/ssl/ucsCA/crl/crl.pem \ -out /etc/univention/ssl/ucsCA/crl/ucsCA.crl \ -inform pem -outform der cp /etc/univention/ssl/ucsCA/crl/ucsCA.crl /var/www/ fi -- We could for example define @reboot cronjob or init script that defines a AT-job that updates the CRL at $nextUpdate (and afterwards defines a new AT-job at the new $nextUpdate, respectively updates the AT-job if $nextUpdate has changed in between).