RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1378797 - Web UI must check OCSP and CRL during smartcard login
Summary: Web UI must check OCSP and CRL during smartcard login
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Scott Poore
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-23 09:44 UTC by Roshni
Modified: 2017-08-01 09:42 UTC (History)
5 users (show)

Fixed In Version: ipa-4.5.0-12.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:42:02 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Roshni 2016-09-23 09:44:36 UTC 
Description of problem:
[RFE] Web UI must check OCSP and CRL during smartcard login

Version-Release number of selected component (if applicable):
ipa-server-4.4.0-12.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Follow http://www.freeipa.org/page/V4/External_Authentication/Setup to enable smartcard authentication to IPA Web UI
2. The smart card has a revoked certificate
3.

Actual results:
Login to Web UI is successful

Expected results:
Login to Web UI should fail

Additional info:
Comment 2 Petr Vobornik 2016-09-30 13:27:07 UTC 
triage notes:   

mod_nss config needs to be changed -> IPA issue
    NSSOCSP on

for CRL, a list needs to be loaded to NSS db and updated regularly(mod_revocator might help). 

OCSP might be therefore preferred but it might have some performance impact which needs to be tested.
Comment 3 Petr Vobornik 2016-09-30 13:28:15 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6370
Comment 4 Petr Vobornik 2017-04-12 08:23:54 UTC 
Changing into a bug which must be fixed with introduction of certificate mapping authentication (introduced FreeIPA 4.5). Without it, user would be able to authenticate with expired or revoked certificate.
Comment 5 Tomas Krizek 2017-05-10 07:11:21 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/e0b32dac5462164869ab19c3d56c36e80cde4b7b
ipa-4-5:
https://pagure.io/freeipa/c/4aa7e70fcd1851394f943da669d6af4e11b60940
Comment 8 Scott Poore 2017-05-24 22:38:21 UTC 
Verified.

Version ::

ipa-server-4.5.0-13.el7.x86_64

Results ::

Tested with Firefox and user was unable to use revoked cert.

Also, tested with curl:

[root@dhcp129-184 nssdb]# curl -v --insecure --cert "demosc1 (OpenSC Card)\:Certificate:password" 'https://auto-hv-02-guest08.testrelm.test/ipa/session/login_x509?username=demosc1'
* About to connect() to auto-hv-02-guest08.testrelm.test port 443 (#0)
*   Trying IPA_SERVER_IP...
* Connected to auto-hv-02-guest08.testrelm.test (IPA_SERVER_IP) port 443 (#0)
* Initializing NSS with certpath: sql:/tmp/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=auto-hv-02-guest08.testrelm.test,O=TESTRELM.TEST
*       start date: Mar 31 21:17:28 2017 GMT
*       expire date: Apr 01 21:17:28 2019 GMT
*       common name: auto-hv-02-guest08.testrelm.test
*       issuer: CN=Certificate Authority,O=TESTRELM.TEST
> GET /ipa/session/login_x509?username=demosc1 HTTP/1.1
> User-Agent: curl/7.29.0
> Host: auto-hv-02-guest08.testrelm.test
> Accept: */*
>
* skipping SSL peer certificate verification
* NSS: using client certificate: demosc1 (OpenSC Card):Certificate
*       subject: CN=demosc1,O=TESTRELM.TEST
*       start date: May 05 18:56:31 2017 GMT
*       expire date: May 06 18:56:31 2019 GMT
*       common name: demosc1
*       issuer: CN=Certificate Authority,O=TESTRELM.TEST
* SSL read: errno -12270 (SSL_ERROR_REVOKED_CERT_ALERT)
* SSL peer rejected your certificate as revoked.
* Closing connection 0
curl: (58) SSL peer rejected your certificate as revoked.
Comment 9 errata-xmlrpc 2017-08-01 09:42:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304
Note You need to log in before you can comment on or make changes to this bug.