X509 Authentication + revoked certificates
|
View:
New views
4 Messages
—
Rating Filter:
Alert me
|
 |
X509 Authentication + revoked certificates
by Pavlos Drandakis
::
Rate this Message:
Hello all,
From what I understand, a certificate is treated as valid if current time (when checking) is between certificate's creation and expiration time. So if a revoked certificate has not expired yet, is considered valid and access is granted, when using X509 authentication. Is there any way to prevent users from logging into CAS when presenting revoked certificates? Thanks, Pavlos (Server Configuration: CAS 3.2.1, Tomcat 6.0.14 with APR support) _______________________________________________ cas-dev mailing list cas-dev@... http://tp.its.yale.edu/mailman/listinfo/cas-dev |
|
|
Fwd: X509 Authentication + revoked certificates
by Pavlos Drandakis
::
Rate this Message:
Hello all,
any comments? Thanks ---------- Forwarded message ---------- From: Pavlos Drandakis <pdrados@...> Date: Thu, May 8, 2008 at 6:10 PM Subject: X509 Authentication + revoked certificates To: cas-dev@... Hello all, From what I understand, a certificate is treated as valid if current time (when checking) is between certificate's creation and expiration time. So if a revoked certificate has not expired yet, is considered valid and access is granted, when using X509 authentication. Is there any way to prevent users from logging into CAS when presenting revoked certificates? Thanks, Pavlos (Server Configuration: CAS 3.2.1, Tomcat 6.0.14 with APR support) _______________________________________________ cas-dev mailing list cas-dev@... http://tp.its.yale.edu/mailman/listinfo/cas-dev |
|
|
Re: X509 Authentication + revoked certificates
by Romain Bourgue
::
Rate this Message:
With cas-server-support-x509, a certificate is indeed treated as valid :
1- if it matches a trusted issuer dn (subjectDnPattern)... 2- ...within a specified range of intermediate CAs (maxPathLength), 3- if it's not expired (and already valid), 4- if its key usage validate a optionally specified one. but it doesn't check any CertificateRevocationList (CRL) (yet?). If you want this check, the easiest way is to rely on mod_ssl installed on a apache frontal webserver. The SSLCARevocationPath directive allows you specify a list of CRLs the certificate will be checked against. You can also develop your own authentication handler.... Romain Pavlos Drandakis a écrit : > Hello all, > > From what I understand, a certificate is treated as valid if current > time (when checking) is between certificate's creation and expiration > time. So if a revoked certificate has not expired yet, is considered > valid and access is granted, when using X509 authentication. Is there > any way to prevent users from logging into CAS when presenting revoked > certificates? > > Thanks, > > Pavlos > > (Server Configuration: CAS 3.2.1, Tomcat 6.0.14 with APR support) > > > ------------------------------------------------------------------------ > > _______________________________________________ > cas-dev mailing list > cas-dev@... > http://tp.its.yale.edu/mailman/listinfo/cas-dev cas-dev mailing list cas-dev@... http://tp.its.yale.edu/mailman/listinfo/cas-dev |
|
|
Re: X509 Authentication + revoked certificates
by Arnaud Lesueur-4
::
Rate this Message:
Pavlos,
Did you tried to turn CRL check on the Security Provider ? If your client certificate does have CRLDP extensions with a Sun JVM with Sun Security Provider you should be able to it (not tested yet sorry). In order to do so, you have to set those system properties : com.sun.net.ssl.checkRevocation=true com.sun.security.enableCRLDP=true You might have more debug log using : java.security.debug=certpath You might also be capable to do it using an OCSP responder on a Sun JRE 6: http://java.sun.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html Regards, Arnaud Lesueur On Wed, May 21, 2008 at 4:45 PM, Romain BOURGUE <romain.bourgue@...> wrote: > With cas-server-support-x509, a certificate is indeed treated as valid : > 1- if it matches a trusted issuer dn (subjectDnPattern)... > 2- ...within a specified range of intermediate CAs (maxPathLength), > 3- if it's not expired (and already valid), > 4- if its key usage validate a optionally specified one. > > but it doesn't check any CertificateRevocationList (CRL) (yet?). > > If you want this check, the easiest way is to rely on mod_ssl installed on a > apache frontal webserver. The SSLCARevocationPath directive allows you specify a > list of CRLs the certificate will be checked against. > > You can also develop your own authentication handler.... > > > Romain > > Pavlos Drandakis a écrit : >> Hello all, >> >> From what I understand, a certificate is treated as valid if current >> time (when checking) is between certificate's creation and expiration >> time. So if a revoked certificate has not expired yet, is considered >> valid and access is granted, when using X509 authentication. Is there >> any way to prevent users from logging into CAS when presenting revoked >> certificates? >> >> Thanks, >> >> Pavlos >> >> (Server Configuration: CAS 3.2.1, Tomcat 6.0.14 with APR support) >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> cas-dev mailing list >> cas-dev@... >> http://tp.its.yale.edu/mailman/listinfo/cas-dev > _______________________________________________ > cas-dev mailing list > cas-dev@... > http://tp.its.yale.edu/mailman/listinfo/cas-dev > -- Arnaud Lesueur LinkedIn: http://www.linkedin.com/in/lesueur _______________________________________________ cas-dev mailing list cas-dev@... http://tp.its.yale.edu/mailman/listinfo/cas-dev |
| Free Forum Powered by Nabble | Forum Help |