December, 2007

December, 2007

  • Care, Share and Grow!

    Certificate Trust List not being honored by IIS 5.0/6.0/7.0?

    • 8 Comments

    Something one should be aware of if one is dealing with Client certificate and assuming Certificate Trust List (CTL) will limit the list of Trusted Certificate Authorities (CA's) being sent to the client during the initial SSL handshake.

    In IIS 5.0 Post MS04-011 update and IIS 6.0/7.0 using CTL's you cannot limit the list of CA's sent back to the client during the SSL/TLS handshake. i.e. you can't use CTL's to limit the list of certificates that Internet Explorer is showing. IE will show all the certificates irrespective of whether the issuing CA is a part of the CTL or not.

    This however is not applicable to Apache web server. Apache will send the list of CA's which are part of the CTL. The above behavior was implemented in IIS as a security design feature. You can use OpenSSL to check the behavior:

    Let's assume we have a web site www.test.com which accepts client certificates. OpenSSL will show the following transaction. Note that it sends the list of all the CA's even if you have configured CTL to allow specific CA's.

     

    C:\>OpenSSL s_client -connect www.test.com:443 -prexit
    Loading 'screen' into random state - done
    CONNECTED(00000790)
    depth=0 /C=CA/ST=Karnataka/L=Bangalore/O=abc/OU=IIS/CN=www.test.com
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 /C=CA/ST=Karnataka/L=Bangalore/O=abc/OU=IIS/CN=www.test.com
    verify error:num=27:certificate not trusted
    verify return:1
    depth=0 /C=CA/ST=Karnataka/L=Bangalore/O=abc/OU=IIS/CN=www.test.com
    verify error:num=21:unable to verify the first certificate
    verify return:1
    ---
    Certificate chain
    0 s:/C=CA/ST=Karnataka/L=Bangalore/O=abc/OU=IIS/CN=www.test.com
       i:/DC=com/DC=Saurabh1/CN=Microsoft
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIE3DCCA8SgAwIBAgIKEfew+wAAAAAANTANBgkqhkiG9w0BAQUFADBDMRMwEQYK
    CZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIU2F1cmFiaDExEjAQBgNV
    BAMTCU1pY3Jvc29mdDAeFw0wNzExMTYyMzE1MjFaFw0wOTExMTUyMzE1MjFaMGgx
    CzAJBgNVBAYTAkNBMRIwEAYDVQQIEwlLYXJuYXRha2ExEjAQBgNVBAcTCUJhbmdh
    bG9yZTEMMAoGA1UEChMDYWJjMQwwCgYDVQQLEwNJSVMxFTATBgNVBAMTDHd3dy50
    ZXN0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyHwhBcSOgyfAe2WJ
    2m391qWNTEKj9ScSKrbrzxEFWqEKIReH5pkabxG188vX1uQoo5MUCGd3WIEAb3Xa
    T+mY7P/nA3fwMEUjF1apwXPwQf8hpx5GXhPM6YjyizFGxq06qgNTG3+gCh8arwhu
    u8f9zKOEUicGDOJaQHIK1ofp4G8CAwEAAaOCAi8wggIrMAsGA1UdDwQEAwIFoDBE
    BgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAw
    BwYFKw4DAgcwCgYIKoZIhvcNAwcwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYDVR0O
    BBYEFBi8sz9sklijc8tObd/kfYp13IQXMB8GA1UdIwQYMBaAFAVRxGOV1iHL6wJC
    f2vFzSTt5QFwMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9sYXhtaW5iLnNhdXJh
    YmgxLmNvbS9DZXJ0RW5yb2xsL01pY3Jvc29mdC5jcmwwggEVBggrBgEFBQcBAQSC
    AQcwggEDMIGpBggrBgEFBQcwAoaBnGxkYXA6Ly8vQ049TWljcm9zb2Z0LENOPUFJ
    QSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25m
    aWd1cmF0aW9uLERDPVNhdXJhYmgxLERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/
    b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTBVBggrBgEFBQcwAoZJ
    aHR0cDovL2xheG1pbmIuc2F1cmFiaDEuY29tL0NlcnRFbnJvbGwvTEFYTUlOQi5T
    YXVyYWJoMS5jb21fTWljcm9zb2Z0LmNydDAhBgkrBgEEAYI3FAIEFB4SAFcAZQBi
    AFMAZQByAHYAZQByMA0GCSqGSIb3DQEBBQUAA4IBAQAPf48JnKDC5qnGUOwzPsVY
    iz454kHCa6hWxO4L8Lf4uZ/iTwhjvG+LsPZpsijxAkpa/Me2YAtTJS8HaKa0l+on
    VAsDl4AJLK0epH7iQUfahe5BH3DxYcXFi2uAZeSFa12STxa5Ywtknrlxelimzak+
    CgEZTSUDTtSDAOxwIpIXlmsPzBmaI7Cx6+R0Kul3H+DPRP/iE/Qh7yzlXbDqcAsA
    i91ungRcHtiFxkLSwfRbV/qyr2OszKa+7SM9GJ6R0lJC5oRBy/JkQqWiAYvRaf5J
    iTdC7eourVL+TH+GhXnFpmCs+YlotkWLj7EsLKwKiEuX8mm8T6UXKzis2OazfHfh
    -----END CERTIFICATE-----
    subject=/C=CA/ST=Karnataka/L=Bangalore/O=abc/OU=IIS/CN=www.test.com
    issuer=/DC=com/DC=Saurabh1/CN=Microsoft
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 1384 bytes and written 324 bytes
    ---
    New, TLSv1/SSLv3, Cipher is RC4-MD5
    Server public key is 1024 bit
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : RC4-MD5
        Session-ID: B21A0000950C415B75F380724109AE354A29437F77C62FCEF493BD823C62C616
        Session-ID-ctx:
        Master-Key: 6A2F53DBE5ED1565D1E7CB218B4D1B7AF7CFE07594469D69772C26232BBB0253326ACC25A106D3A6B452
    1B3B0989D57D
        Key-Arg   : None
        Start Time: 1197061986
        Timeout   : 300 (sec)
        Verify return code: 21 (unable to verify the first certificate)
    ---
    GET /test.asp
    depth=0 /C=CA/ST=Karnataka/L=Bangalore/O=abc/OU=IIS/CN=www.test.com
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 /C=CA/ST=Karnataka/L=Bangalore/O=abc/OU=IIS/CN=www.test.com
    verify error:num=27:certificate not trusted
    verify return:1
    depth=0 /C=CA/ST=Karnataka/L=Bangalore/O=abc/OU=IIS/CN=www.test.com
    verify error:num=21:unable to verify the first certificate
    verify return:1
    read R BLOCK
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
    <HTML><HEAD><TITLE>The page requires a client certificate</TITLE>
    <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
    <STYLE type="text/css">
      BODY { font: 8pt/12pt verdana }
      H1 { font: 13pt/15pt verdana }
      H2 { font: 8pt/12pt verdana }
      A:link { color: red }
      A:visited { color: maroon }
    </STYLE>
    </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

    <h1>The page requires a client certificate</h1>
    The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) cli
    ent certificate that the Web server will recognize. The client certificate is used for identifying y
    ou as a valid user of the resource.
    <hr>
    <p>Please try the following:</p>
    <ul>
    <li>Contact the Web site administrator if you believe you should be able to view this directory or p
    age without a client certificate, or to obtain a client certificate.</li>
    <li>If you already have a client certificate, use your Web browser's security features to ensure tha
    t your client certificate is installed properly. (Some Web browsers refer
    to client certificates as browser or personal certificates.)</li>
    </ul>
    <h2>HTTP Error 403.7 - Forbidden: SSL client certificate is required.<br>Internet Information Servic
    es (IIS)</h2>
    <hr>
    <p>Technical Information (for support personnel)</p>
    <ul>
    <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</
    a> and perform a title search for the words <b>HTTP</b> and <b>403</b>.</li>
    <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
    and search for topics titled <b>About Certificates</b>, <b>Using Certificate Trust Lists</b>, <b>En
    abling Client Certificates</b>, and <b>About Custom Error Messages</b>.</li>
    </ul>

    </TD></TR></TABLE></BODY></HTML>

    read:errno=0
    ---
    Certificate chain
    0 s:/C=CA/ST=Karnataka/L=Bangalore/O=abc/OU=IIS/CN=www.test.com
       i:/DC=com/DC=Saurabh1/CN=Microsoft
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIE3DCCA8SgAwIBAgIKEfew+wAAAAAANTANBgkqhkiG9w0BAQUFADBDMRMwEQYK
    CZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIU2F1cmFiaDExEjAQBgNV
    BAMTCU1pY3Jvc29mdDAeFw0wNzExMTYyMzE1MjFaFw0wOTExMTUyMzE1MjFaMGgx
    CzAJBgNVBAYTAkNBMRIwEAYDVQQIEwlLYXJuYXRha2ExEjAQBgNVBAcTCUJhbmdh
    bG9yZTEMMAoGA1UEChMDYWJjMQwwCgYDVQQLEwNJSVMxFTATBgNVBAMTDHd3dy50
    ZXN0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyHwhBcSOgyfAe2WJ
    2m391qWNTEKj9ScSKrbrzxEFWqEKIReH5pkabxG188vX1uQoo5MUCGd3WIEAb3Xa
    T+mY7P/nA3fwMEUjF1apwXPwQf8hpx5GXhPM6YjyizFGxq06qgNTG3+gCh8arwhu
    u8f9zKOEUicGDOJaQHIK1ofp4G8CAwEAAaOCAi8wggIrMAsGA1UdDwQEAwIFoDBE
    BgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAw
    BwYFKw4DAgcwCgYIKoZIhvcNAwcwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYDVR0O
    BBYEFBi8sz9sklijc8tObd/kfYp13IQXMB8GA1UdIwQYMBaAFAVRxGOV1iHL6wJC
    f2vFzSTt5QFwMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9sYXhtaW5iLnNhdXJh
    YmgxLmNvbS9DZXJ0RW5yb2xsL01pY3Jvc29mdC5jcmwwggEVBggrBgEFBQcBAQSC
    AQcwggEDMIGpBggrBgEFBQcwAoaBnGxkYXA6Ly8vQ049TWljcm9zb2Z0LENOPUFJ
    QSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25m
    aWd1cmF0aW9uLERDPVNhdXJhYmgxLERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/
    b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTBVBggrBgEFBQcwAoZJ
    aHR0cDovL2xheG1pbmIuc2F1cmFiaDEuY29tL0NlcnRFbnJvbGwvTEFYTUlOQi5T
    YXVyYWJoMS5jb21fTWljcm9zb2Z0LmNydDAhBgkrBgEEAYI3FAIEFB4SAFcAZQBi
    AFMAZQByAHYAZQByMA0GCSqGSIb3DQEBBQUAA4IBAQAPf48JnKDC5qnGUOwzPsVY
    iz454kHCa6hWxO4L8Lf4uZ/iTwhjvG+LsPZpsijxAkpa/Me2YAtTJS8HaKa0l+on
    VAsDl4AJLK0epH7iQUfahe5BH3DxYcXFi2uAZeSFa12STxa5Ywtknrlxelimzak+
    CgEZTSUDTtSDAOxwIpIXlmsPzBmaI7Cx6+R0Kul3H+DPRP/iE/Qh7yzlXbDqcAsA
    i91ungRcHtiFxkLSwfRbV/qyr2OszKa+7SM9GJ6R0lJC5oRBy/JkQqWiAYvRaf5J
    iTdC7eourVL+TH+GhXnFpmCs+YlotkWLj7EsLKwKiEuX8mm8T6UXKzis2OazfHfh
    -----END CERTIFICATE-----
    subject=/C=CA/ST=Karnataka/L=Bangalore/O=abc/OU=IIS/CN=www.test.com
    issuer=/DC=com/DC=Saurabh1/CN=Microsoft
    ---
    Acceptable client certificate CA names
    /DC=com/DC=Saurabh1/CN=Microsoft
    /DC=com/DC=Saurabh1/CN=Saurabh CA
    /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign,
    Inc. - For authorized use only/OU=VeriSign Trust Network
    /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign,
    Inc. - For authorized use only/OU=VeriSign Trust Network
    /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte P
    ersonal Freemail CA/emailAddress=personal-freemail@thawte.com
    /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte P
    ersonal Premium CA/emailAddress=personal-premium@thawte.com
    /C=US/O=First Data Digital Certificates Inc./CN=First Data Digital Certificates Inc. Certification A
    uthority
    /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte P
    ersonal Basic CA/emailAddress=personal-basic@thawte.com
    /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
    /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority
    /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
    /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign,
    Inc. - For authorized use only/OU=VeriSign Trust Network
    /C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Uzleti (Class B) T
    anusitvanykiado
    /C=US/O=GTE Corporation/CN=GTE CyberTrust Root
    /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
    /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Li
    mited/CN=Entrust.net Secure Server Certification Authority
    /C=HU/ST=Hungary/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Kozjegy
    zoi (Class A) Tanusitvanykiado
    /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign,
    Inc. - For authorized use only/OU=VeriSign Trust Network
    /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Root
    /C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Expressz (Class C)
    Tanusitvanykiado
    /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority
    /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority

    ---
    SSL handshake has read 7991 bytes and written 740 bytes
    ---
    New, TLSv1/SSLv3, Cipher is RC4-MD5
    Server public key is 1024 bit
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : RC4-MD5
        Session-ID: 7F0A00002D0024D14CCB9D959D185669A22B6F9ECF613E75C0B9A7DD75DD436A
        Session-ID-ctx:
        Master-Key: A17E388F8744B03CAA268418A700F92B5BABDBD09908F8E5503B299579CA4C09A93CCEC5BBCB7BD2F39A
    2C64EF36F674
        Key-Arg   : None
        Start Time: 1197061993
        Timeout   : 300 (sec)
        Verify return code: 21 (unable to verify the first certificate)
    ---

    This is the default behavior for IIS 5.0 (Post MS04-011), IIS 6.0 and to my knowledge will remain so going forward with IIS 7.0 as well.

  • Care, Share and Grow!

    My turn will get over too...

    • 1 Comments

    [Non Technical]

    Recently I got an extra responsibility to be an On-call engineer for IIS/ASP.Net support for one week apart from my daily work schedule. And I never realized what toll it can take on me until I took over it.

    Basically an On-Call engineer has to be available during the Night hours for the entire week. S/he is just a backup, reserved in case a Critical issue comes in and no one is around to take it. So its like passively working 24x7 for a complete week. Remember it's an extra add-on after one's office hours.

    We have very limited number of Engineers in support during US night shift hours and weekends, assuming that call/case volume will be very low during this period. And when an incident case is opened during this time and no one is available to take it (assuming all the limited workforce is already occupied with work on other cases) the call goes on to the so-called privileged On-Call engineer. And depending upon the severity of the case s/he may have to work on it either from home or come to office and then take over the mantle. Look how that poor person has to manage if s/he already had a tough day in office. In my case I had no choice but to come to office.

    And I was told that we don't get much calls for an On-call, and believing in the sanctity of the advice I was quite happy. But looks like everyday in my so called night hours (I work in US time zone although based in India) I get a ring for a critical (high severity and visible) case and the person on other line starts gabbling all the technical stuffs he damn cares to know about. And I am, brutally woken up from my deep slumber trying to recover at the earliest to make sense of what other person is speaking....It kind of, makes it amusing to me how fast I need to recover my senses (wherein few seconds back I was dreaming running around the trees in a state of bliss), to understand the technicalities of the phone conversation and get on with a bunch of people on the other line talking about how their server crashed like hell and how they saw their application getting into a hung state, or leaking memory etc. and what not. I understand their state (no one would like to work off hours in night or weekends out of choice after a hectic day unless a lot is on stake) and I try my best to empathize with their state and help them to the best of my abilities, meanwhile also knowing my own state at that point ;-)....well part of my job anyway.

    In fact, these days I have started dreaming that my cell is ringing and when I wake up there is an utter silence, and I try to console myself that I will get a peaceful sleep today (I tell myself I won't get a call today for sure, let peace behold on me), which doesn't seem to be happening for the last few days.

    I am happy that it won't last long, another few days to go :-) and then I can be a free bird enjoying my after-hours (beyond my shift) and then of course the weekends. You see there are a lot of plans one tend to make for weekends if their weekdays had a perilous impact on them. Just a kind of compensation I feel. One needs to find ways to freshen up. On a brighter note, I feel this stretch is really challenging and puts back hope in one's abilities (if you have lost one) to handle pressure and situation elsewhere too in other walks of life and shows how far one can stretch his/her own limits if required. I am an optimist at the end and knows ways to soothe myself.

    Looking forward to an exciting weekend ahead....guess today is just the start of the week.

    Cheers!

    Martini Glass

Page 1 of 1 (2 items)