Bug 1378797 - Web UI must check OCSP and CRL during smartcard login
Summary: Web UI must check OCSP and CRL during smartcard login
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Scott Poore
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-23 09:44 UTC by Roshni
Modified: 2017-08-01 09:42 UTC (History)
5 users (show)

Fixed In Version: ipa-4.5.0-12.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:42:02 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Roshni 2016-09-23 09:44:36 UTC
Description of problem:
[RFE] Web UI must check OCSP and CRL during smartcard login

Version-Release number of selected component (if applicable):
ipa-server-4.4.0-12.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Follow http://www.freeipa.org/page/V4/External_Authentication/Setup to enable smartcard authentication to IPA Web UI
2. The smart card has a revoked certificate
3.

Actual results:
Login to Web UI is successful

Expected results:
Login to Web UI should fail

Additional info:

Comment 2 Petr Vobornik 2016-09-30 13:27:07 UTC
triage notes:   

mod_nss config needs to be changed -> IPA issue
    NSSOCSP on

for CRL, a list needs to be loaded to NSS db and updated regularly(mod_revocator might help). 

OCSP might be therefore preferred but it might have some performance impact which needs to be tested.

Comment 3 Petr Vobornik 2016-09-30 13:28:15 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6370

Comment 4 Petr Vobornik 2017-04-12 08:23:54 UTC
Changing into a bug which must be fixed with introduction of certificate mapping authentication (introduced FreeIPA 4.5). Without it, user would be able to authenticate with expired or revoked certificate.

Comment 8 Scott Poore 2017-05-24 22:38:21 UTC
Verified.

Version ::

ipa-server-4.5.0-13.el7.x86_64

Results ::

Tested with Firefox and user was unable to use revoked cert.

Also, tested with curl:

[root@dhcp129-184 nssdb]# curl -v --insecure --cert "demosc1 (OpenSC Card)\:Certificate:password" 'https://auto-hv-02-guest08.testrelm.test/ipa/session/login_x509?username=demosc1'
* About to connect() to auto-hv-02-guest08.testrelm.test port 443 (#0)
*   Trying IPA_SERVER_IP...
* Connected to auto-hv-02-guest08.testrelm.test (IPA_SERVER_IP) port 443 (#0)
* Initializing NSS with certpath: sql:/tmp/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=auto-hv-02-guest08.testrelm.test,O=TESTRELM.TEST
*       start date: Mar 31 21:17:28 2017 GMT
*       expire date: Apr 01 21:17:28 2019 GMT
*       common name: auto-hv-02-guest08.testrelm.test
*       issuer: CN=Certificate Authority,O=TESTRELM.TEST
> GET /ipa/session/login_x509?username=demosc1 HTTP/1.1
> User-Agent: curl/7.29.0
> Host: auto-hv-02-guest08.testrelm.test
> Accept: */*
>
* skipping SSL peer certificate verification
* NSS: using client certificate: demosc1 (OpenSC Card):Certificate
*       subject: CN=demosc1,O=TESTRELM.TEST
*       start date: May 05 18:56:31 2017 GMT
*       expire date: May 06 18:56:31 2019 GMT
*       common name: demosc1
*       issuer: CN=Certificate Authority,O=TESTRELM.TEST
* SSL read: errno -12270 (SSL_ERROR_REVOKED_CERT_ALERT)
* SSL peer rejected your certificate as revoked.
* Closing connection 0
curl: (58) SSL peer rejected your certificate as revoked.

Comment 9 errata-xmlrpc 2017-08-01 09:42:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.