Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

X509RevocationMode.Online cause different result on Linux and Windows #27457

Closed
AvailCat opened this issue Sep 24, 2018 · 5 comments
Closed

X509RevocationMode.Online cause different result on Linux and Windows #27457

AvailCat opened this issue Sep 24, 2018 · 5 comments
Labels
area-System.Net.Security os-linux Linux OS (any supported distro)
Milestone

Comments

@AvailCat
Copy link

Demo project:
project.zip

Environment:
.NET Core 2.1 on Windows 10 and Debian 9

Steps to reproduce:
Download the demo project and run it on Windows and Linux.
It will print "Cert valid? True" on Windows, and "Cert valid? False" on Linux with exception.

image

About the demo:
A HttpClient with ServerCertificateCustomValidationCallback, Set ChainPolicy.RevocationMode = X509RevocationMode.Online in callback

@AvailCat
Copy link
Author

AvailCat commented Sep 24, 2018

Tested with openssl + -crl_check got same result. however, demo project works on Windows.

$ openssl s_client -showcerts -connect letsencrypt.org:443 -crl_check
CONNECTED(00000003)
depth=0 CN = www.letsencrypt.org
verify error:num=3:unable to get certificate CRL
verify return:1
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www.letsencrypt.org
verify return:1
---
Certificate chain
 0 s:/CN=www.letsencrypt.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIH5jCCBs6gAwIBAgISA2gSCm/BtvCR2e2bIap5YbXaMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA3MjcxNzMxMjdaFw0x
ODEwMjUxNzMxMjdaMB4xHDAaBgNVBAMTE3d3dy5sZXRzZW5jcnlwdC5vcmcwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpL8ZjVL0MUkUAIbYO9+ZCni+c
ghGd9WhM2Ztaay6Wyh6lNoCdltdqTwUhE4O+d7UFModjM3G/KMyfuujr06c5iGKL
3saPmIzLaRPIEOUlB2rKgasKhe8mDRyRLzQSXXgnsaKcTBBuhIHvtP51ZMr05nJJ
sX/5FGjj96w+KJel6E/Ux1a1ZDOFkAYNSIrJJhA5jjIvUPr+Ri6Oc6UlhF9oueKI
uWBILxQpC778tBWdHoZeBCNTHA1VvtwC53OeuHvdZm1jB/e30Mgf5DtVizYpFXVD
mztkrd6z/3B6ZwPyfCE4KgzSf70/byOz971OJxNKTUVWedKHHDlrMxfsPclbAgMB
AAGjggTwMIIE7DAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFG1w4j/KDrYSFu7m9DPE
xRR0E5gzMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUF
BwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNy
eXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNy
eXB0Lm9yZy8wggHxBgNVHREEggHoMIIB5IIbY2VydC5pbnQteDEubGV0c2VuY3J5
cHQub3JnghtjZXJ0LmludC14Mi5sZXRzZW5jcnlwdC5vcmeCG2NlcnQuaW50LXgz
LmxldHNlbmNyeXB0Lm9yZ4IbY2VydC5pbnQteDQubGV0c2VuY3J5cHQub3Jnghxj
ZXJ0LnJvb3QteDEubGV0c2VuY3J5cHQub3Jngh9jZXJ0LnN0YWdpbmcteDEubGV0
c2VuY3J5cHQub3Jngh9jZXJ0LnN0Zy1pbnQteDEubGV0c2VuY3J5cHQub3JngiBj
ZXJ0LnN0Zy1yb290LXgxLmxldHNlbmNyeXB0Lm9yZ4ISY3AubGV0c2VuY3J5cHQu
b3JnghpjcC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZ4ITY3BzLmxldHNlbmNyeXB0
Lm9yZ4IbY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3Jnghtjcmwucm9vdC14MS5s
ZXRzZW5jcnlwdC5vcmeCD2xldHNlbmNyeXB0Lm9yZ4IWb3JpZ2luLmxldHNlbmNy
eXB0Lm9yZ4IXb3JpZ2luMi5sZXRzZW5jcnlwdC5vcmeCFnN0YXR1cy5sZXRzZW5j
cnlwdC5vcmeCE3d3dy5sZXRzZW5jcnlwdC5vcmcwgf4GA1UdIASB9jCB8zAIBgZn
gQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmlj
YXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBh
bmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGlj
eSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzCC
AQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AMEWSuCnctLUOS3ICsEHcNTwxJvemRpI
QMH6B1Fk9jNgAAABZN0ChToAAAQDAEcwRQIgblal8oXnfoopr1+dWVhvBx+sqHT0
eLYxJHBTaRp3j1QCIQDhFQqMk6DDXUgcU12K36zLVFwJTdAJI4RBisnX+g+W0AB2
ACk8UZZUyDlluqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAABZN0Chz4AAAQDAEcw
RQIhAImOjvkritUNKJZB7dcUtjoyIbfNwdCspvRiEzXuvVQoAiAZryoyg3TcMun5
Gb2dEn1cttMnPW9u670/JdRjvjU/wTANBgkqhkiG9w0BAQsFAAOCAQEAGepCmckP
Tn9Sz268FEwkdD+6wWaPfeYlh+9nacFh90nQ35EYQMOK8a+X7ixHGbRz19On3Wt4
1fcbPa9SefocTjAintMwwreCxpRTmwGACYojd7vRWEmA6q7+/HO2BfZahWzclOjw
mSDBycDEm8R0ZK52vYjzVno8x0mrsmSO0403S/6syYB/guH6P17kIBw+Tgx6/i/c
I1C6MoFkuaAKUUcZmgGGBgE+L/7cWtWjbkVXyA3ZQQy9G7rcBT+N/RrDfBh4iZDq
jAN5UIIYL8upBhjiMYVuoJrH2nklzEwr5SWKcccJX5eWkGLUwlcY9LGAA8+17l2I
l1Ou20Dm9TxnNw==
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=www.letsencrypt.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3857 bytes and written 302 bytes
Verification error: unable to get certificate CRL
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 68582E11C665348BD0A8A64BDE1F42BA51E2A8B42A316C09F8C2C41E42C060AC
    Session-ID-ctx: 
    Master-Key: 51169F61C2A1D5021FAFC48285CEABB56655E51D63FA4D6A4406875F2FAB05458B5F9061CB2636A2A73C2AA907B1F38C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 00 00 0c e0 12 20 32 c8-31 5f fa b5 c9 79 ef d9   ..... 2.1_...y..
    0010 - 69 d9 ee 3c cb af 42 db-e4 4b 25 7a 1d d8 59 84   i..<..B..K%z..Y.
    0020 - 93 ed a7 e8 2c b0 b8 89-08 eb cc db c2 4e 77 27   ....,........Nw'
    0030 - 25 48 08 1f d3 c0 a0 fb-02 2f 14 d5 0b ac 75 0a   %H......./....u.
    0040 - 47 be d4 e0 d0 60 d0 ee-8b ec e1 39 89 34 c2 80   G....`.....9.4..
    0050 - 15 14 e4 78 49 ad 05 6e-dd 53 55 72 36 65 dd 24   ...xI..n.SUr6e.$
    0060 - c1 ac 14 2f ae c2 6d 55-95 f7 41 02 cc 1f 95 a0   .../..mU..A.....
    0070 - ff 4f 81 ea 44 b5 e6 0c-19 e3 72 51 1a 4a b9 17   .O..D.....rQ.J..
    0080 - d4 d3 36 d9 3b 89 a9 14-27 3f f8 5f 79 3a a3 68   ..6.;...'?._y:.h
    0090 - d4 86 2f 4f e8 08 01 95-42 3b 4d ce b8 ee 39      ../O....B;M...9
    00a0 - <SPACES/NULS>

    Start Time: 1537785762
    Timeout   : 7200 (sec)
    Verify return code: 3 (unable to get certificate CRL)
    Extended master secret: no
---

@AvailCat
Copy link
Author

Another way to check certificate revoke with OCSP. Got Response verify OK, letsencrypt.pem: good

$ openssl ocsp -issuer chain.pem -cert letsencrypt.pem -text -url http://ocsp.int-x3.letsencrypt.org
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
          Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
          Serial Number: 0368120A6FC1B6F091D9ED9B21AA7961B5DA
    Request Extensions:
        OCSP Nonce: 
            0410E43FD5BD8B84E03687874707AB2A0225
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Sep 22 18:32:00 2018 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: 0368120A6FC1B6F091D9ED9B21AA7961B5DA
    Cert Status: good
    This Update: Sep 22 18:00:00 2018 GMT
    Next Update: Sep 29 18:00:00 2018 GMT

    Signature Algorithm: sha256WithRSAEncryption
         20:c1:34:cc:3c:31:c0:85:07:4b:6f:75:2d:cd:f9:5d:33:27:
         9e:c1:f2:06:39:ed:4d:be:4e:7a:55:1c:56:c8:5a:c2:3d:7e:
         8b:fc:49:3a:a0:72:8b:35:fe:46:5d:e3:92:96:10:3b:92:da:
         4e:42:ab:b5:28:ce:a6:9b:3f:e6:c1:d1:9e:a5:c5:20:57:0b:
         34:7d:84:55:19:13:e2:c5:65:41:a7:59:1a:99:c9:93:74:14:
         39:3f:38:bb:5d:25:ce:72:90:59:65:12:41:a6:ad:de:ff:ee:
         cf:2b:18:e3:49:74:76:69:ab:80:7b:33:2e:2b:03:de:45:aa:
         06:9d:59:95:cc:d8:67:29:4c:89:b3:3d:1d:0e:cb:4c:65:89:
         a5:6c:83:d7:6a:65:b8:ab:5f:ff:f6:75:50:ea:48:6c:b6:dc:
         83:bd:4f:99:62:6d:59:4a:9b:25:63:ba:77:1f:df:19:72:09:
         21:7b:8f:38:85:29:13:40:8e:dd:7b:5a:91:ff:e0:02:ab:c9:
         fe:2d:fe:a4:a4:59:b1:46:89:b8:df:53:a5:b7:3a:ce:d7:9a:
         6b:63:85:2d:78:ca:f7:1c:02:b2:7b:d1:87:fe:25:17:b8:f8:
         cd:2c:14:73:84:e1:a5:7e:30:5a:a0:cb:19:83:74:ee:e2:f0:
         87:50:b0:c4
WARNING: no nonce in response
Response verify OK
letsencrypt.pem: good
	This Update: Sep 22 18:00:00 2018 GMT
	Next Update: Sep 29 18:00:00 2018 GMT

@joshfree
Copy link
Member

cc @bartonjs @davidsh

@bartonjs
Copy link
Member

Let's Encrypt supports OCSP, but not CRL. We don't currently have OCSP wired up on Linux (#3034).

All of the blocking conditions on that should be gone now, so it's probably time to do that work.

@bartonjs
Copy link
Member

Closing in favor of #15113.

@msftgits msftgits transferred this issue from dotnet/corefx Jan 31, 2020
@msftgits msftgits added this to the 3.0 milestone Jan 31, 2020
@ghost ghost locked as resolved and limited conversation to collaborators Dec 15, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area-System.Net.Security os-linux Linux OS (any supported distro)
Projects
None yet
Development

No branches or pull requests

4 participants