You can subscribe to this list here.
2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
---|---|---|---|---|---|---|---|---|---|---|---|---|
2007 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
(1) |
Aug
(1) |
Sep
|
Oct
(2) |
Nov
|
Dec
(1) |
2008 |
Jan
(6) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(2) |
Aug
(2) |
Sep
|
Oct
(1) |
Nov
|
Dec
|
2009 |
Jan
|
Feb
(3) |
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
(2) |
Sep
|
Oct
(4) |
Nov
(8) |
Dec
(3) |
2010 |
Jan
(16) |
Feb
(17) |
Mar
|
Apr
|
May
(1) |
Jun
(5) |
Jul
(1) |
Aug
|
Sep
(1) |
Oct
|
Nov
(1) |
Dec
|
2011 |
Jan
|
Feb
|
Mar
(2) |
Apr
(1) |
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
(6) |
Oct
(1) |
Nov
(4) |
Dec
(6) |
2012 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2013 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2015 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Von H. <von...@ya...> - 2015-05-20 18:04:47
|
I saw a note in the archives that it had not as of ~2009, but wondered if that has changed. --thanks,Von |
From: Von H. <von...@ya...> - 2015-05-20 18:02:02
|
Hello,Does anyone still listening to this PKIF list know if the OCSP Plugin uses HTTP GET or POST to submit a request? I suspect its post, but will have to install and packet capture to test for sure unless someone knows. I couldn't find it in a quick source code review. |
From: Todd E. J. <tej...@ya...> - 2013-03-18 16:01:15
|
Hello, Below are a few notes of some hacks I have made during my build process of PKIF on Ubuntu 12.10 LTS. These are a bit ugly, and I can produce a patch if needed. This helps to overcome problems building when using G++ 4.7, as well as updated Boost libs (for Boost Filesystem3): <Notes> Problem: building with newer G++: Use of the -R option when searching for boost libs Resolution: Remove "-R" flag from the build - I edited the configure script Problem: src/PKIFUTILS/CACException.cpp multiple 'sprintf' not declared in scope Resolution: #include <cstdio> Problem: In Boost the constructor path(string, name_check) is not supported anymore. It's just path(string) Resolution: Change to "fs::path(filename)" in src/PKIFUTILS/FileUtils.cpp Problem: src/PKIFUTILS/HttpServerBlacklist.cpp multiple "sscanf" not declared in scope Resolution: #include <cstdio> Note: PKIFv2_1_14-source/srclib/cryptopp/eccrypto.h 'GenerateRandom' changed to 'this->GenerateRandom' Note: PKIFv2_1_14-source/srclib/cryptopp/secblock.h 'CheckSize' changed to 'this->CheckSize' Note: There were a few instances of: /usr/include/c++/4.7/backward/backward_warning.h:33:2: warning: #warning This file includes at least one deprecated or antiquated header which may be removed without further notice at a future date. Please use a non-deprecated interface with equivalent functionality instead. For a listing of replacement headers and interfaces, consult the file backward_warning.h. To disable this warning use -Wno-deprecated. [-Wcpp] Problem: src/PKIFUTILS/HttpServerBlacklist.cpp multiple functions not declared in scope Resolution: #include <cstdio> Problem: In Boost the constructor path(string, name_check) is not supported anymore. It's just path(string) Resolution: "fs::path( path, fs::native )" changed to "fs::path( path )" in src/PKIFSR/SimpleCertCache.cpp And: "FILE* f = fopen(dir_itr->string().c_str(), "rb");" Changed to: "FILE* f = fopen(dir_itr->path().filename().string().c_str(), "rb");" Problem: src/PKIFSR/SimpleCRLCache.cpp multiple functions not declared in scope Resolution: #include <cstdio> Problem: In Boost the constructor path(string, name_check) is not supported anymore. It's just path(string) Resolution: "fs::path( path, fs::native )" changed to "fs::path( path )" in src/PKIFSR/SimpleCRLCache.cpp And: "FILE* f = fopen(dir_itr->string().c_str(), "rb");" Changed to: "FILE* f = fopen(dir_itr->path().filename().string().c_str(), "rb");" </Notes> I am in the home stretch of getting the libs built, however, some flags are not found when linking libPKIF.so.14.0.0: /bin/bash ../libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I. -I../src/include -I ../src/include -I ../src/include/PKIFUTILS -I/usr/local/include -pthread -g -O2 -MT dummy.lo -MD -MP -MF .deps/dummy.Tpo -c -o dummy.lo `test -f 'PKIFDLL/dummy.cpp' || echo './'`PKIFDLL/dummy.cpp libtool: compile: g++ -DHAVE_CONFIG_H -I. -I../src/include -I ../src/include -I ../src/include/PKIFUTILS -I/usr/local/include -pthread -g -O2 -MT dummy.lo -MD -MP -MF .deps/dummy.Tpo -c PKIFDLL/dummy.cpp -fPIC -DPIC -o .libs/dummy.o libtool: compile: g++ -DHAVE_CONFIG_H -I. -I../src/include -I ../src/include -I ../src/include/PKIFUTILS -I/usr/local/include -pthread -g -O2 -MT dummy.lo -MD -MP -MF .deps/dummy.Tpo -c PKIFDLL/dummy.cpp -o dummy.o >/dev/null 2>&1 mv -f .deps/dummy.Tpo .deps/dummy.Plo /bin/bash ../libtool --tag=CXX --mode=link g++ -g -O2 -L/usr/local/lib -L/usr/local/lib -L/usr/local/lib -L/usr/local/lib -version-info 14:0:0 -o libPKIF.la -rpath /usr/local/lib dummy.lo ASN1Helper/libASN1Helper.la PKIFX509/libPKIFX509.la PKIFUTILS/libPKIFUTILS.la PKIFCRYPT/libPKIFCRYPT.la PKIFSR/libPKIFSR.la PKIFPATH/libPKIFPATH.la PKIFREV/libPKIFREV.la -lboost_thread -pthread -lboost_filesystem-mt -lboost_date_time-mt -lboost_regex-mt libtool: link: g++ -fPIC -DPIC -shared -nostdlib /usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/4.7/crtbeginS.o .libs/dummy.o -Wl,--whole-archive ASN1Helper/.libs/libASN1Helper.a PKIFX509/.libs/libPKIFX509.a PKIFUTILS/.libs/libPKIFUTILS.a PKIFCRYPT/.libs/libPKIFCRYPT.a PKIFSR/.libs/libPKIFSR.a PKIFPATH/.libs/libPKIFPATH.a PKIFREV/.libs/libPKIFREV.a -Wl,--no-whole-archive -L/usr/local/lib -L/usr/local/src/PKIFv2_1_14-source/srclib/lib -L/usr/local/src/PKIFv2_1_14-source/srclib/libcurl/lib -L/usr/lib -lcryptopp -lnss3 -lnspr4 -lldap -llber -lcurl -lobjective -lietfasn1 -lboost_thread -lboost_filesystem-mt -lboost_date_time-mt -lboost_regex-mt -L/usr/lib/gcc/x86_64-linux-gnu/4.7 -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/4.7/../../.. -lstdc++ -lm -lc -lgcc_s /usr/lib/gcc/x86_64-linux-gnu/4.7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/4.7/../../../x86_64-linux-gnu/crtn.o -O2 -pthread -pthread -Wl,-soname -Wl,libPKIF.so.14 -o .libs/libPKIF.so.14.0.0 /usr/bin/ld.bfd.real: cannot find -lcryptopp /usr/bin/ld.bfd.real: cannot find -lcurl /usr/bin/ld.bfd.real: cannot find -lobjective /usr/bin/ld.bfd.real: cannot find -lietfasn1 collect2: error: ld returned 1 exit status make[2]: *** [libPKIF.la] Error 1 make[2]: Leaving directory `/usr/local/src/PKIFv2_1_14-source/devel/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/usr/local/src/PKIFv2_1_14-source/devel/src' make: *** [all-recursive] Error 1 Regards, Todd E. Johnson |
From: David L. <dav...@gm...> - 2012-03-13 15:14:36
|
Hello, I've known you website for ages, strictly speaking from year 2007. I found interesting your publication PKIF - Home which I googled on http://pkif.sourceforge.net/ ! I'd love to use it in a project I'm involved with called "FCW Science", so I'm seeking your permission. "FCW Science" is a freemium-model non-English language orientated startup with collection of scientific articles, personal notes etc. in several languages that is collaboratively edited by volunteers from around the world since 1999. Young and old, students and professors - even your neighbor could be a volunteer member. If you agree, we will credit you for your work in the resulting translation's references by stating that it was based on your work and is used with your permission, and by mentioning the name of my project "FCW Science" back to: http://pkif.sourceforge.net/ Thank you for your time and patience. I look forward to your response next week. --- Best wishes, David Leoney Translation for Education FAQ - http://goo.gl/q9Oq9 |
From: Armen G. <AGa...@cy...> - 2011-12-08 15:16:51
|
I meant does not implement any cryptographic functionality. From: Joshua Turner -X (josturne - AEROTEK INC at Cisco) [mailto:jos...@ci...] Sent: Thursday, December 08, 2011 10:14 AM To: Armen Galustyan Cc: pki...@li... Subject: RE: FIPS Compliant That's great news. Thanks for the feedback. From: Armen Galustyan [mailto:AGa...@cy...] Sent: Thursday, December 08, 2011 10:13 AM To: Joshua Turner -X (josturne - AEROTEK INC at Cisco) Cc: pki...@li... Subject: RE: FIPS Compliant The library itself does implement any cryptographic functionality. It relies on FIPS validated cryptographic modules (Microsoft Crypto API and Netscape Security Services). FIPS validation only applied to crypto modules that implement cryptographic functions. Because of that there is no need to have the library FIPS evaluated. PKIF library satisfies DoD FIPS requirement by using a FIPS validates crypto modules. From: Joshua Turner -X (josturne - AEROTEK INC at Cisco) [mailto:jos...@ci...] Sent: Thursday, December 08, 2011 9:55 AM To: Armen Galustyan Cc: pki...@li... Subject: RE: FIPS Compliant Thanks Armen. Are there any plans to have the library FIPS evaluated? I think it's a DoD requirement to use a FIPS approved PKI solution. JT From: Armen Galustyan [mailto:AGa...@cy...] Sent: Thursday, December 08, 2011 8:59 AM To: Joshua Turner -X (josturne - AEROTEK INC at Cisco) Cc: pki...@li... Subject: RE: FIPS Compliant The library can be configured to use FIPS validated crypto (Microsoft Crypto API and Netscape Security Services). The other crypto used by the PKIF library (crypto++) has been FIPS evaluated but is not used in FIPS mode. PKIF library itself has not been FIPS evaluated. From: Joshua Turner -X (josturne - AEROTEK INC at Cisco) [mailto:jos...@ci...] Sent: Thursday, December 08, 2011 8:44 AM To: pki...@li... Subject: [PKIF-users] FIPS Compliant Are these apps FIPS compliant? Josh Turner |
From: Joshua T. -X (j. - A. I. at Cisco) <jos...@ci...> - 2011-12-08 15:14:28
|
Thats great news. Thanks for the feedback. From: Armen Galustyan [mailto:AGa...@cy...] Sent: Thursday, December 08, 2011 10:13 AM To: Joshua Turner -X (josturne - AEROTEK INC at Cisco) Cc: pki...@li... Subject: RE: FIPS Compliant The library itself does implement any cryptographic functionality. It relies on FIPS validated cryptographic modules (Microsoft Crypto API and Netscape Security Services). FIPS validation only applied to crypto modules that implement cryptographic functions. Because of that there is no need to have the library FIPS evaluated. PKIF library satisfies DoD FIPS requirement by using a FIPS validates crypto modules. From: Joshua Turner -X (josturne - AEROTEK INC at Cisco) [mailto:jos...@ci...] Sent: Thursday, December 08, 2011 9:55 AM To: Armen Galustyan Cc: pki...@li... Subject: RE: FIPS Compliant Thanks Armen. Are there any plans to have the library FIPS evaluated? I think its a DoD requirement to use a FIPS approved PKI solution. JT From: Armen Galustyan [mailto:AGa...@cy...] Sent: Thursday, December 08, 2011 8:59 AM To: Joshua Turner -X (josturne - AEROTEK INC at Cisco) Cc: pki...@li... Subject: RE: FIPS Compliant The library can be configured to use FIPS validated crypto (Microsoft Crypto API and Netscape Security Services). The other crypto used by the PKIF library (crypto++) has been FIPS evaluated but is not used in FIPS mode. PKIF library itself has not been FIPS evaluated. From: Joshua Turner -X (josturne - AEROTEK INC at Cisco) [mailto:jos...@ci...] Sent: Thursday, December 08, 2011 8:44 AM To: pki...@li... Subject: [PKIF-users] FIPS Compliant Are these apps FIPS compliant? Josh Turner |
From: Armen G. <AGa...@cy...> - 2011-12-08 15:13:09
|
The library itself does implement any cryptographic functionality. It relies on FIPS validated cryptographic modules (Microsoft Crypto API and Netscape Security Services). FIPS validation only applied to crypto modules that implement cryptographic functions. Because of that there is no need to have the library FIPS evaluated. PKIF library satisfies DoD FIPS requirement by using a FIPS validates crypto modules. From: Joshua Turner -X (josturne - AEROTEK INC at Cisco) [mailto:jos...@ci...] Sent: Thursday, December 08, 2011 9:55 AM To: Armen Galustyan Cc: pki...@li... Subject: RE: FIPS Compliant Thanks Armen. Are there any plans to have the library FIPS evaluated? I think it's a DoD requirement to use a FIPS approved PKI solution. JT From: Armen Galustyan [mailto:AGa...@cy...] Sent: Thursday, December 08, 2011 8:59 AM To: Joshua Turner -X (josturne - AEROTEK INC at Cisco) Cc: pki...@li... Subject: RE: FIPS Compliant The library can be configured to use FIPS validated crypto (Microsoft Crypto API and Netscape Security Services). The other crypto used by the PKIF library (crypto++) has been FIPS evaluated but is not used in FIPS mode. PKIF library itself has not been FIPS evaluated. From: Joshua Turner -X (josturne - AEROTEK INC at Cisco) [mailto:jos...@ci...] Sent: Thursday, December 08, 2011 8:44 AM To: pki...@li... Subject: [PKIF-users] FIPS Compliant Are these apps FIPS compliant? Josh Turner |
From: Joshua T. -X (j. - A. I. at Cisco) <jos...@ci...> - 2011-12-08 14:55:06
|
Thanks Armen. Are there any plans to have the library FIPS evaluated? I think its a DoD requirement to use a FIPS approved PKI solution. JT From: Armen Galustyan [mailto:AGa...@cy...] Sent: Thursday, December 08, 2011 8:59 AM To: Joshua Turner -X (josturne - AEROTEK INC at Cisco) Cc: pki...@li... Subject: RE: FIPS Compliant The library can be configured to use FIPS validated crypto (Microsoft Crypto API and Netscape Security Services). The other crypto used by the PKIF library (crypto++) has been FIPS evaluated but is not used in FIPS mode. PKIF library itself has not been FIPS evaluated. From: Joshua Turner -X (josturne - AEROTEK INC at Cisco) [mailto:jos...@ci...] Sent: Thursday, December 08, 2011 8:44 AM To: pki...@li... Subject: [PKIF-users] FIPS Compliant Are these apps FIPS compliant? Josh Turner |
From: Armen G. <AGa...@cy...> - 2011-12-08 14:33:10
|
The library can be configured to use FIPS validated crypto (Microsoft Crypto API and Netscape Security Services). The other crypto used by the PKIF library (crypto++) has been FIPS evaluated but is not used in FIPS mode. PKIF library itself has not been FIPS evaluated. From: Joshua Turner -X (josturne - AEROTEK INC at Cisco) [mailto:jos...@ci...] Sent: Thursday, December 08, 2011 8:44 AM To: pki...@li... Subject: [PKIF-users] FIPS Compliant Are these apps FIPS compliant? Josh Turner |
From: Joshua T. -X (j. - A. I. at Cisco) <jos...@ci...> - 2011-12-08 13:43:58
|
Are these apps FIPS compliant? Josh Turner |
From: Armen G. <AGa...@cy...> - 2011-11-01 19:09:43
|
2.1.7 release already includes CNG support. NSS and Crypto++ suite B support came much earlier. I would also recommend an upgrade to the latest release which is 2.1.14 now. From: Bin Lu [mailto:bl...@ju...] Sent: Tuesday, November 01, 2011 2:11 PM To: Armen Galustyan Cc: pki...@li... Subject: RE: Suite B support >From which release was that support started? We are using PKIF 2.1.7. Thanks, From: Armen Galustyan [mailto:AGa...@cy...] Sent: Tuesday, November 01, 2011 11:04 AM To: Bin Lu Cc: pki...@li... Subject: RE: Suite B support Yes, PKIF provides suite B support on Windows Vista, 7 and 2008 server using CAPI NG. PKIF also provides suite B support when using NSS and Crypto++ cryptographic mediators. From: Bin Lu [mailto:bl...@ju...] Sent: Tuesday, November 01, 2011 1:56 PM To: pki...@li... Subject: [PKIF-users] Suite B support Hi, Does PKIF support Suite B? Our federal customers are asking for this support. Thanks, -binlu |
From: Armen G. <AGa...@cy...> - 2011-11-01 18:31:19
|
Yes, PKIF provides suite B support on Windows Vista, 7 and 2008 server using CAPI NG. PKIF also provides suite B support when using NSS and Crypto++ cryptographic mediators. From: Bin Lu [mailto:bl...@ju...] Sent: Tuesday, November 01, 2011 1:56 PM To: pki...@li... Subject: [PKIF-users] Suite B support Hi, Does PKIF support Suite B? Our federal customers are asking for this support. Thanks, -binlu |
From: Bin Lu <bl...@ju...> - 2011-11-01 18:11:35
|
>From which release was that support started? We are using PKIF 2.1.7. Thanks, From: Armen Galustyan [mailto:AGa...@cy...] Sent: Tuesday, November 01, 2011 11:04 AM To: Bin Lu Cc: pki...@li... Subject: RE: Suite B support Yes, PKIF provides suite B support on Windows Vista, 7 and 2008 server using CAPI NG. PKIF also provides suite B support when using NSS and Crypto++ cryptographic mediators. From: Bin Lu [mailto:bl...@ju...] Sent: Tuesday, November 01, 2011 1:56 PM To: pki...@li... Subject: [PKIF-users] Suite B support Hi, Does PKIF support Suite B? Our federal customers are asking for this support. Thanks, -binlu |
From: Bin Lu <bl...@ju...> - 2011-11-01 17:59:03
|
Hi, Does PKIF support Suite B? Our federal customers are asking for this support. Thanks, -binlu |
From: Rahat A. K. <rah...@as...> - 2011-09-30 06:27:05
|
Thanks for reply. Rahat On 09/29/2011 05:25 PM, Carl Wallace wrote: > Resending with screenshots deleted to avoid exceeding mailing list > size limit. > > From: Carl Wallace <ca...@re... > <mailto:ca...@re...>> > Date: Thu, 29 Sep 2011 07:45:12 -0400 > To: Rahat Ali Khan <rah...@as... > <mailto:rah...@as...>> > Cc: <pki...@li... > <mailto:pki...@li...>>, <it...@as... > <mailto:it...@as...>> > Subject: Re: [PKIF-users] An error in the log of PKIF OCSP Plugin > > It looks like the error about the time range does not pertain to > this particular revocation check (it is probably fired when > validating some authenticode signature). > > If OCSP does not yield an answer, the plugin will failover to CRLs > is configured to do so. That you can modulate the result by > turning CRL support on and off indicates there is an issue with > OCSP processing. Here are a few things that could cause what you > are seeing: > > * The responder is not accessible > * The responder is not providing status for the certificate in > question > * Responses signed by the responder cannot be validated > > The last bullet would be my guess. Confirm that the OCSP > responder is using a certificate that can be validated to a trust > anchor in the store the OCSP plug-in is configured to use. If it > is using a self-signed certificate and that certificate is not in > a trust store used by the plugin, then OCSP functionality will not > work. The PITT utility that is available on the PKIF source forge > site may be useful in troubleshooting the responder. The > configuration dialogs are the same that tool so setting it up > should be easy. > > From: Rahat Ali Khan <rah...@as... > <mailto:rah...@as...>> > Date: Thu, 29 Sep 2011 12:15:18 +0500 > To: Carl Wallace <ca...@re... > <mailto:ca...@re...>> > Cc: <pki...@li... > <mailto:pki...@li...>>, <it...@as... > <mailto:it...@as...>> > Subject: Re: [PKIF-users] An error in the log of PKIF OCSP Plugin > > Here is what we are doing. > > We are using a signed word document (which was signed in the > past less than 24 hours). We open this doc and check whether > or not the plugin kicks in. Following are the options which we > have used, > > > <snip> > > > > With these settings we get the these errors in the logs. > > /2011-09-28_17:36:27 (2180) [TRACE] Begin OCSP plug-in > configuration > 2011-09-28_17:36:27 (2180) [TRACE] Calling application: > C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\OFFICE~1\SETUP.EXE > 2011-09-28_17:36:27 (2180) [TRACE] OCSP plug-in configuration > complete > 2011-09-28_17:36:27 (2180) [DEBUG] dwEncodingType: 1 > dwRevType: 1 cContext: 1 dwFlags: 0 > 2011-09-28_17:36:27 (2180) [DEBUG] cbSize: 52 cCertStore: > not specified rgCertStore: not specified hCrlStore: specified > pftTimeToUse (29817205:206872320): 20061027030734 > 2011-09-28_17:36:27 (2180) [DEBUG] cbSize: 24 dwIndex: 0 > dwError: 0 dwReason: 0 > 2011-09-28_17:36:27 (2180) [INFORMATION] Revocation status > determination time outside supported range > 2011-09-28_17:36:27 (2180) [DEBUG] dwEncodingType: 1 > dwRevType: 1 cContext: 1 dwFlags: 0 > 2011-09-28_17:36:27 (2180) [DEBUG] cbSize: 52 cCertStore: > not specified rgCertStore: not specified hCrlStore: specified > pftTimeToUse (29817205:206872320): 20061027030734 > 2011-09-28_17:36:27 (2180) [DEBUG] cbSize: 24 dwIndex: 0 > dwError: 0 dwReason: 0 > 2011-09-28_17:36:27 (2180) [INFORMATION] Revocation status > determination time outside supported range > 2011-09-28_17:36:27 (2180) [DEBUG] dwEncodingType: 1 > dwRevType: 1 cContext: 1 dwFlags: 0 > 2011-09-28_17:36:27 (2180) [DEBUG] cbSize: 52 cCertStore: > not specified rgCertStore: not specified hCrlStore: specified > pftTimeToUse (29817205:256872320): 20061027030739 > 2011-09-28_17:36:27 (2180) [DEBUG] cbSize: 24 dwIndex: 0 > dwError: 0 dwReason: 0 > 2011-09-28_17:36:27 (2180) [INFORMATION] Revocation status > determination time outside supported range > 2011-09-28_17:36:27 (2180) [DEBUG] dwEncodingType: 1 > dwRevType: 1 cContext: 1 dwFlags: 0 > 2011-09-28_17:36:27 (2180) [DEBUG] cbSize: 52 cCertStore: > not specified rgCertStore: not specified hCrlStore: specified > pftTimeToUse (29817205:256872320): 20061027030739 > 2011-09-28_17:36:27 (2180) [DEBUG] cbSize: 24 dwIndex: 0 > dwError: 0 dwReason: 0 > 2011-09-28_17:36:27 (2180) [INFORMATION] Revocation status > determination time outside supported range > 2011-09-28_17:36:48 (2180) [TRACE] Unloading/ > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > /2011-09-28_19:41:20 (3336) [TRACE] Begin OCSP plug-in > configuration > 2011-09-28_19:41:20 (3336) [TRACE] Calling application: > C:\Program Files\Microsoft Office\Office12\WINWORD.EXE > 2011-09-28_19:41:20 (3336) [TRACE] OCSP plug-in configuration > complete > 2011-09-28_19:41:20 (3336) [DEBUG] dwEncodingType: 1 > dwRevType: 1 cContext: 1 dwFlags: 4 > 2011-09-28_19:41:20 (3336) [DEBUG] cbSize: 52 cCertStore: > not specified rgCertStore: not specified hCrlStore: specified > pftTimeToUse (30178796:2947560508): 20110928144120 > 2011-09-28_19:41:20 (3336) [DEBUG] cbSize: 24 dwIndex: 0 > dwError: 0 dwReason: 0 > 2011-09-28_19:41:20 (3336) [INFORMATION] Target Certificate > Subject: cn=Ascertia Internal CA 2,ou=Security,o=Ascertia,c=GB > 2011-09-28_19:41:20 (3336) [DEBUG] Issuer Certificate > Subject: cn=Ascertia Root CA 2,o=Ascertia,c=GB > 2011-09-28_19:41:21 (3252) [TRACE] Unloading > 2011-09-28_19:41:30 (3336) [INFORMATION] Revocation status: > NOT_CHECKED > 2011-09-28_19:41:30 (3336) [DEBUG] dwEncodingType: 1 > dwRevType: 1 cContext: 1 dwFlags: 4 > 2011-09-28_19:41:30 (3336) [DEBUG] cbSize: 52 cCertStore: > not specified rgCertStore: not specified hCrlStore: specified > pftTimeToUse (30178796:2947560508): 20110928144120 > 2011-09-28_19:41:30 (3336) [DEBUG] cbSize: 24 dwIndex: 0 > dwError: 0 dwReason: 0 > 2011-09-28_19:41:30 (3336) [INFORMATION] Target Certificate > Subject: cn=Wahaj Khan,ou=Solutions,o=Ascertia,c=GB > 2011-09-28_19:41:30 (3336) [DEBUG] Issuer Certificate > Subject: cn=Ascertia Internal CA 2,ou=Security,o=Ascertia,c=GB > 2011-09-28_19:41:31 (3336) [INFORMATION] Revocation status: > NOT_CHECKED > 2011-09-28_19:42:00 (2688) [TRACE] Unloading/ > > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > > But when we enable checking of CRL and retrieval of CRL from > CDP(in above screen shots) then we get the proper revocation > check which is also logged. > > _/2011-09-28_17:36:52 (2860) [TRACE] Begin OCSP plug-in > configuration > 2011-09-28_17:36:52 (2860) [TRACE] Calling application: > C:\Program Files\Microsoft Office\Office12\WINWORD.EXE > 2011-09-28_17:36:52 (2860) [TRACE] OCSP plug-in configuration > complete > 2011-09-28_17:36:52 (2860) [DEBUG] dwEncodingType: 1 > dwRevType: 1 cContext: 1 dwFlags: 4 > 2011-09-28_17:36:52 (2860) [DEBUG] cbSize: 52 cCertStore: > not specified rgCertStore: not specified hCrlStore: specified > pftTimeToUse (30178779:1284328236): 20110928123652 > 2011-09-28_17:36:52 (2860) [DEBUG] cbSize: 24 dwIndex: 0 > dwError: 0 dwReason: 0 > 2011-09-28_17:36:52 (2860) [INFORMATION] Target Certificate > Subject: cn=Ascertia Internal CA 2,ou=Security,o=Ascertia,c=GB > 2011-09-28_17:36:52 (2860) [DEBUG] Issuer Certificate > Subject: cn=Ascertia Root CA 2,o=Ascertia,c=GB > 2011-09-28_17:36:58 (2860) [INFORMATION] Revocation status: > NOT_REVOKED > 2011-09-28_17:36:58 (2860) [DEBUG] dwEncodingType: 1 > dwRevType: 1 cContext: 1 dwFlags: 4 > 2011-09-28_17:36:58 (2860) [DEBUG] cbSize: 52 cCertStore: > not specified rgCertStore: not specified hCrlStore: specified > pftTimeToUse (30178779:1284328236): 20110928123652 > 2011-09-28_17:36:58 (2860) [DEBUG] cbSize: 24 dwIndex: 0 > dwError: 0 dwReason: 0 > 2011-09-28_17:36:58 (2860) [INFORMATION] Target Certificate > Subject: cn=Wahaj Khan,ou=Solutions,o=Ascertia,c=GB > 2011-09-28_17:36:58 (2860) [DEBUG] Issuer Certificate > Subject: cn=Ascertia Internal CA 2,ou=Security,o=Ascertia,c=GB > 2011-09-28_17:37:02 (2860) [INFORMATION] Revocation status: > NOT_REVOKED > 2011-09-28_17:37:28 (1632) [TRACE] Unloading/_ > > > Rahat > > / > > / > > > On 09/28/2011 11:02 PM, Carl Wallace wrote: >> Are you evaluating the certificate relative to the current >> time or a time in the past (or future)? That error only >> occurs in one location in the code with the trigger being >> evaluation of a certificate relative to a time greater than >> 24 hours in the past of 24 hours in the future. You should >> take a look at the CAPI2 logs to confirm what value is being >> evaluated. This error occurs before any OCSP responder is >> checked, so its not an issue with being out of sync with the >> responder. >> >> What do you mean by "turn the CRL checks on"? >> >> From: Rahat Ali Khan <rah...@as... >> <mailto:rah...@as...>> >> Date: Wed, 28 Sep 2011 20:19:56 +0500 >> To: <pki...@li... >> <mailto:pki...@li...>> >> Subject: [PKIF-users] An error in the log of PKIF OCSP Plugin >> >> >> We are running PKIF OCSP plugin (on 32 bit Windows 2008) >> to test with a OCSP responder located on the same machine >> and we are having the following issues, >> >> *- When we turn off the CRL checks off, we are getting >> entry in the log which says "Revocation status >> determination time outside supported range". >> >> - Revocation status: NOT_CHECKED >> * >> But when we turn the CRL checks on, it checks the >> revocation status. >> >> Please guide us on this issue. >> >> Regards, >> >> Rahat >> >> ------------------------------------------------------------------------------ >> All the data continuously generated in your IT >> infrastructure contains a definitive record of customers, >> application performance, security threats, fraudulent >> activity and more. Splunk takes this data and makes sense >> of it. Business sense. IT sense. Common sense. >> http://p.sf.net/sfu/splunk-d2dcopy1_______________________________________________ >> PKIF-users mailing list PKI...@li... >> <mailto:PKI...@li...> >> https://lists.sourceforge.net/lists/listinfo/pkif-users >> > > > > > ------------------------------------------------------------------------------ > All the data continuously generated in your IT infrastructure contains a > definitive record of customers, application performance, security > threats, fraudulent activity and more. Splunk takes this data and makes > sense of it. Business sense. IT sense. Common sense. > http://p.sf.net/sfu/splunk-d2dcopy1 > > > _______________________________________________ > PKIF-users mailing list > PKI...@li... > https://lists.sourceforge.net/lists/listinfo/pkif-users |
From: Carl W. <ca...@re...> - 2011-09-29 12:25:55
|
Resending with screenshots deleted to avoid exceeding mailing list size limit. From: Carl Wallace <ca...@re...> Date: Thu, 29 Sep 2011 07:45:12 -0400 To: Rahat Ali Khan <rah...@as...> Cc: <pki...@li...>, <it...@as...> Subject: Re: [PKIF-users] An error in the log of PKIF OCSP Plugin > It looks like the error about the time range does not pertain to this > particular revocation check (it is probably fired when validating some > authenticode signature). > > If OCSP does not yield an answer, the plugin will failover to CRLs is > configured to do so. That you can modulate the result by turning CRL support > on and off indicates there is an issue with OCSP processing. Here are a few > things that could cause what you are seeing: > * The responder is not accessible > * The responder is not providing status for the certificate in question > * Responses signed by the responder cannot be validated > The last bullet would be my guess. Confirm that the OCSP responder is using a > certificate that can be validated to a trust anchor in the store the OCSP > plug-in is configured to use. If it is using a self-signed certificate and > that certificate is not in a trust store used by the plugin, then OCSP > functionality will not work. The PITT utility that is available on the PKIF > source forge site may be useful in troubleshooting the responder. The > configuration dialogs are the same that tool so setting it up should be easy. > > > From: Rahat Ali Khan <rah...@as...> > Date: Thu, 29 Sep 2011 12:15:18 +0500 > To: Carl Wallace <ca...@re...> > Cc: <pki...@li...>, <it...@as...> > Subject: Re: [PKIF-users] An error in the log of PKIF OCSP Plugin > >> >> Here is what we are doing. >> >> We are using a signed word document (which was signed in the past less than >> 24 hours). We open this doc and check whether or not the plugin kicks in. >> Following are the options which we have used, <snip> >> >> >> With these settings we get the these errors in the logs. >> >> 2011-09-28_17:36:27 (2180) [TRACE] Begin OCSP plug-in configuration >> 2011-09-28_17:36:27 (2180) [TRACE] Calling application: >> C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\OFFICE~1\SETUP.EXE >> 2011-09-28_17:36:27 (2180) [TRACE] OCSP plug-in configuration >> complete >> 2011-09-28_17:36:27 (2180) [DEBUG] dwEncodingType: 1 dwRevType: 1 cContext: >> 1 dwFlags: 0 >> 2011-09-28_17:36:27 (2180) [DEBUG] cbSize: 52 cCertStore: not specified >> rgCertStore: not specified hCrlStore: specified pftTimeToUse >> (29817205:206872320): 20061027030734 >> 2011-09-28_17:36:27 (2180) [DEBUG] cbSize: 24 dwIndex: 0 dwError: 0 >> dwReason: 0 >> 2011-09-28_17:36:27 (2180) [INFORMATION] Revocation status determination >> time outside supported range >> 2011-09-28_17:36:27 (2180) [DEBUG] dwEncodingType: 1 dwRevType: 1 cContext: >> 1 dwFlags: 0 >> 2011-09-28_17:36:27 (2180) [DEBUG] cbSize: 52 cCertStore: not specified >> rgCertStore: not specified hCrlStore: specified pftTimeToUse >> (29817205:206872320): 20061027030734 >> 2011-09-28_17:36:27 (2180) [DEBUG] cbSize: 24 dwIndex: 0 dwError: 0 >> dwReason: 0 >> 2011-09-28_17:36:27 (2180) [INFORMATION] Revocation status determination >> time outside supported range >> 2011-09-28_17:36:27 (2180) [DEBUG] dwEncodingType: 1 dwRevType: 1 cContext: >> 1 dwFlags: 0 >> 2011-09-28_17:36:27 (2180) [DEBUG] cbSize: 52 cCertStore: not specified >> rgCertStore: not specified hCrlStore: specified pftTimeToUse >> (29817205:256872320): 20061027030739 >> 2011-09-28_17:36:27 (2180) [DEBUG] cbSize: 24 dwIndex: 0 dwError: 0 >> dwReason: 0 >> 2011-09-28_17:36:27 (2180) [INFORMATION] Revocation status determination >> time outside supported range >> 2011-09-28_17:36:27 (2180) [DEBUG] dwEncodingType: 1 dwRevType: 1 cContext: >> 1 dwFlags: 0 >> 2011-09-28_17:36:27 (2180) [DEBUG] cbSize: 52 cCertStore: not specified >> rgCertStore: not specified hCrlStore: specified pftTimeToUse >> (29817205:256872320): 20061027030739 >> 2011-09-28_17:36:27 (2180) [DEBUG] cbSize: 24 dwIndex: 0 dwError: 0 >> dwReason: 0 >> 2011-09-28_17:36:27 (2180) [INFORMATION] Revocation status determination >> time outside supported range >> 2011-09-28_17:36:48 (2180) [TRACE] Unloading >> ----------------------------------------------------------------------------- >> ----------------------------------------------------------------------------- >> ------------------------------------- >> 2011-09-28_19:41:20 (3336) [TRACE] Begin OCSP plug-in configuration >> 2011-09-28_19:41:20 (3336) [TRACE] Calling application: C:\Program >> Files\Microsoft Office\Office12\WINWORD.EXE >> 2011-09-28_19:41:20 (3336) [TRACE] OCSP plug-in configuration >> complete >> 2011-09-28_19:41:20 (3336) [DEBUG] dwEncodingType: 1 dwRevType: 1 cContext: >> 1 dwFlags: 4 >> 2011-09-28_19:41:20 (3336) [DEBUG] cbSize: 52 cCertStore: not specified >> rgCertStore: not specified hCrlStore: specified pftTimeToUse >> (30178796:2947560508): 20110928144120 >> 2011-09-28_19:41:20 (3336) [DEBUG] cbSize: 24 dwIndex: 0 dwError: 0 >> dwReason: 0 >> 2011-09-28_19:41:20 (3336) [INFORMATION] Target Certificate Subject: >> cn=Ascertia Internal CA 2,ou=Security,o=Ascertia,c=GB >> 2011-09-28_19:41:20 (3336) [DEBUG] Issuer Certificate Subject: cn=Ascertia >> Root CA 2,o=Ascertia,c=GB >> 2011-09-28_19:41:21 (3252) [TRACE] Unloading >> 2011-09-28_19:41:30 (3336) [INFORMATION] Revocation status: NOT_CHECKED >> 2011-09-28_19:41:30 (3336) [DEBUG] dwEncodingType: 1 dwRevType: 1 cContext: >> 1 dwFlags: 4 >> 2011-09-28_19:41:30 (3336) [DEBUG] cbSize: 52 cCertStore: not specified >> rgCertStore: not specified hCrlStore: specified pftTimeToUse >> (30178796:2947560508): 20110928144120 >> 2011-09-28_19:41:30 (3336) [DEBUG] cbSize: 24 dwIndex: 0 dwError: 0 >> dwReason: 0 >> 2011-09-28_19:41:30 (3336) [INFORMATION] Target Certificate Subject: >> cn=Wahaj Khan,ou=Solutions,o=Ascertia,c=GB >> 2011-09-28_19:41:30 (3336) [DEBUG] Issuer Certificate Subject: cn=Ascertia >> Internal CA 2,ou=Security,o=Ascertia,c=GB >> 2011-09-28_19:41:31 (3336) [INFORMATION] Revocation status: NOT_CHECKED >> 2011-09-28_19:42:00 (2688) [TRACE] Unloading >> >> ----------------------------------------------------------------------------- >> ----------------------------------------------------------------------------- >> -------------------------------------------- >> >> But when we enable checking of CRL and retrieval of CRL from CDP(in above >> screen shots) then we get the proper revocation check which is also logged. >> >> 2011-09-28_17:36:52 (2860) [TRACE] Begin OCSP plug-in configuration >> 2011-09-28_17:36:52 (2860) [TRACE] Calling application: C:\Program >> Files\Microsoft Office\Office12\WINWORD.EXE >> 2011-09-28_17:36:52 (2860) [TRACE] OCSP plug-in configuration complete >> 2011-09-28_17:36:52 (2860) [DEBUG] dwEncodingType: 1 dwRevType: 1 cContext: >> 1 dwFlags: 4 >> 2011-09-28_17:36:52 (2860) [DEBUG] cbSize: 52 cCertStore: not specified >> rgCertStore: not specified hCrlStore: specified pftTimeToUse >> (30178779:1284328236): 20110928123652 >> 2011-09-28_17:36:52 (2860) [DEBUG] cbSize: 24 dwIndex: 0 dwError: 0 >> dwReason: 0 >> 2011-09-28_17:36:52 (2860) [INFORMATION] Target Certificate >> Subject: cn=Ascertia Internal CA 2,ou=Security,o=Ascertia,c=GB >> 2011-09-28_17:36:52 (2860) [DEBUG] Issuer Certificate Subject: cn=Ascertia >> Root CA 2,o=Ascertia,c=GB >> 2011-09-28_17:36:58 (2860) [INFORMATION] Revocation status: >> NOT_REVOKED >> 2011-09-28_17:36:58 (2860) [DEBUG] dwEncodingType: 1 dwRevType: 1 cContext: >> 1 dwFlags: 4 >> 2011-09-28_17:36:58 (2860) [DEBUG] cbSize: 52 cCertStore: not specified >> rgCertStore: not specified hCrlStore: specified pftTimeToUse >> (30178779:1284328236): 20110928123652 >> 2011-09-28_17:36:58 (2860) [DEBUG] cbSize: 24 dwIndex: 0 dwError: 0 >> dwReason: 0 >> 2011-09-28_17:36:58 (2860) [INFORMATION] Target Certificate >> Subject: cn=Wahaj Khan,ou=Solutions,o=Ascertia,c=GB >> 2011-09-28_17:36:58 (2860) [DEBUG] Issuer Certificate Subject: cn=Ascertia >> Internal CA 2,ou=Security,o=Ascertia,c=GB >> 2011-09-28_17:37:02 (2860) [INFORMATION] Revocation status: >> NOT_REVOKED >> 2011-09-28_17:37:28 (1632) [TRACE] Unloading >> >> >> Rahat >> >> >> >> >> >> >> On 09/28/2011 11:02 PM, Carl Wallace wrote: >>> >>> Are you evaluating the certificate relative to the current time or a time in >>> the past (or future)? That error only occurs in one location in the code >>> with the trigger being evaluation of a certificate relative to a time >>> greater than 24 hours in the past of 24 hours in the future. You should >>> take a look at the CAPI2 logs to confirm what value is being >>> evaluated. This error occurs before any OCSP responder is checked, so its >>> not an issue with being out of sync with the responder. >>> >>> >>> >>> >>> What do you mean by "turn the CRL checks on"? >>> >>> >>> >>> >>> From: Rahat Ali Khan <rah...@as...> >>> Date: Wed, 28 Sep 2011 20:19:56 +0500 >>> To: <pki...@li...> >>> Subject: [PKIF-users] An error in the log of PKIF OCSP Plugin >>> >>> >>> >>> >>> >>>> >>>> >>>> >>>> We are running PKIF OCSP plugin (on 32 bit Windows 2008) to test with a >>>> OCSP responder located on the same machine and we are having the following >>>> issues, >>>> >>>> - When we turn off the CRL checks off, we are getting entry in the log >>>> which says "Revocation status determination time outside supported >>>> range". >>>> >>>> - Revocation status: NOT_CHECKED >>>> >>>> But when we turn the CRL checks on, it checks the revocation status. >>>> >>>> Please guide us on this issue. >>>> >>>> Regards, >>>> >>>> Rahat >>>> >>>> >>>> >>>> >>>> --------------------------------------------------------------------------- >>>> --- All the data continuously generated in your IT infrastructure contains >>>> a definitive record of customers, application performance, security >>>> threats, fraudulent activity and more. Splunk takes this data and makes >>>> sense of it. Business sense. IT sense. Common sense. >>>> http://p.sf.net/sfu/splunk-d2dcopy1________________________________________ >>>> _______ PKIF-users mailing list PKI...@li... >>>> https://lists.sourceforge.net/lists/listinfo/pkif-users >>> >> >> >> |
From: Rahat A. K. <rah...@as...> - 2011-09-29 07:17:45
|
Here is what we are doing. We are using a signed word document (which was signed in the past less than 24 hours). We open this doc and check whether or not the plugin kicks in. Following are the options which we have used, With these settings we get the these errors in the logs. /2011-09-28_17:36:27 (2180) [TRACE] Begin OCSP plug-in configuration 2011-09-28_17:36:27 (2180) [TRACE] Calling application: C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\OFFICE~1\SETUP.EXE 2011-09-28_17:36:27 (2180) [TRACE] OCSP plug-in configuration complete 2011-09-28_17:36:27 (2180) [DEBUG] dwEncodingType: 1 dwRevType: 1 cContext: 1 dwFlags: 0 2011-09-28_17:36:27 (2180) [DEBUG] cbSize: 52 cCertStore: not specified rgCertStore: not specified hCrlStore: specified pftTimeToUse (29817205:206872320): 20061027030734 2011-09-28_17:36:27 (2180) [DEBUG] cbSize: 24 dwIndex: 0 dwError: 0 dwReason: 0 2011-09-28_17:36:27 (2180) [INFORMATION] Revocation status determination time outside supported range 2011-09-28_17:36:27 (2180) [DEBUG] dwEncodingType: 1 dwRevType: 1 cContext: 1 dwFlags: 0 2011-09-28_17:36:27 (2180) [DEBUG] cbSize: 52 cCertStore: not specified rgCertStore: not specified hCrlStore: specified pftTimeToUse (29817205:206872320): 20061027030734 2011-09-28_17:36:27 (2180) [DEBUG] cbSize: 24 dwIndex: 0 dwError: 0 dwReason: 0 2011-09-28_17:36:27 (2180) [INFORMATION] Revocation status determination time outside supported range 2011-09-28_17:36:27 (2180) [DEBUG] dwEncodingType: 1 dwRevType: 1 cContext: 1 dwFlags: 0 2011-09-28_17:36:27 (2180) [DEBUG] cbSize: 52 cCertStore: not specified rgCertStore: not specified hCrlStore: specified pftTimeToUse (29817205:256872320): 20061027030739 2011-09-28_17:36:27 (2180) [DEBUG] cbSize: 24 dwIndex: 0 dwError: 0 dwReason: 0 2011-09-28_17:36:27 (2180) [INFORMATION] Revocation status determination time outside supported range 2011-09-28_17:36:27 (2180) [DEBUG] dwEncodingType: 1 dwRevType: 1 cContext: 1 dwFlags: 0 2011-09-28_17:36:27 (2180) [DEBUG] cbSize: 52 cCertStore: not specified rgCertStore: not specified hCrlStore: specified pftTimeToUse (29817205:256872320): 20061027030739 2011-09-28_17:36:27 (2180) [DEBUG] cbSize: 24 dwIndex: 0 dwError: 0 dwReason: 0 2011-09-28_17:36:27 (2180) [INFORMATION] Revocation status determination time outside supported range 2011-09-28_17:36:48 (2180) [TRACE] Unloading/ ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- /2011-09-28_19:41:20 (3336) [TRACE] Begin OCSP plug-in configuration 2011-09-28_19:41:20 (3336) [TRACE] Calling application: C:\Program Files\Microsoft Office\Office12\WINWORD.EXE 2011-09-28_19:41:20 (3336) [TRACE] OCSP plug-in configuration complete 2011-09-28_19:41:20 (3336) [DEBUG] dwEncodingType: 1 dwRevType: 1 cContext: 1 dwFlags: 4 2011-09-28_19:41:20 (3336) [DEBUG] cbSize: 52 cCertStore: not specified rgCertStore: not specified hCrlStore: specified pftTimeToUse (30178796:2947560508): 20110928144120 2011-09-28_19:41:20 (3336) [DEBUG] cbSize: 24 dwIndex: 0 dwError: 0 dwReason: 0 2011-09-28_19:41:20 (3336) [INFORMATION] Target Certificate Subject: cn=Ascertia Internal CA 2,ou=Security,o=Ascertia,c=GB 2011-09-28_19:41:20 (3336) [DEBUG] Issuer Certificate Subject: cn=Ascertia Root CA 2,o=Ascertia,c=GB 2011-09-28_19:41:21 (3252) [TRACE] Unloading 2011-09-28_19:41:30 (3336) [INFORMATION] Revocation status: NOT_CHECKED 2011-09-28_19:41:30 (3336) [DEBUG] dwEncodingType: 1 dwRevType: 1 cContext: 1 dwFlags: 4 2011-09-28_19:41:30 (3336) [DEBUG] cbSize: 52 cCertStore: not specified rgCertStore: not specified hCrlStore: specified pftTimeToUse (30178796:2947560508): 20110928144120 2011-09-28_19:41:30 (3336) [DEBUG] cbSize: 24 dwIndex: 0 dwError: 0 dwReason: 0 2011-09-28_19:41:30 (3336) [INFORMATION] Target Certificate Subject: cn=Wahaj Khan,ou=Solutions,o=Ascertia,c=GB 2011-09-28_19:41:30 (3336) [DEBUG] Issuer Certificate Subject: cn=Ascertia Internal CA 2,ou=Security,o=Ascertia,c=GB 2011-09-28_19:41:31 (3336) [INFORMATION] Revocation status: NOT_CHECKED 2011-09-28_19:42:00 (2688) [TRACE] Unloading/ ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ But when we enable checking of CRL and retrieval of CRL from CDP(in above screen shots) then we get the proper revocation check which is also logged. _/2011-09-28_17:36:52 (2860) [TRACE] Begin OCSP plug-in configuration 2011-09-28_17:36:52 (2860) [TRACE] Calling application: C:\Program Files\Microsoft Office\Office12\WINWORD.EXE 2011-09-28_17:36:52 (2860) [TRACE] OCSP plug-in configuration complete 2011-09-28_17:36:52 (2860) [DEBUG] dwEncodingType: 1 dwRevType: 1 cContext: 1 dwFlags: 4 2011-09-28_17:36:52 (2860) [DEBUG] cbSize: 52 cCertStore: not specified rgCertStore: not specified hCrlStore: specified pftTimeToUse (30178779:1284328236): 20110928123652 2011-09-28_17:36:52 (2860) [DEBUG] cbSize: 24 dwIndex: 0 dwError: 0 dwReason: 0 2011-09-28_17:36:52 (2860) [INFORMATION] Target Certificate Subject: cn=Ascertia Internal CA 2,ou=Security,o=Ascertia,c=GB 2011-09-28_17:36:52 (2860) [DEBUG] Issuer Certificate Subject: cn=Ascertia Root CA 2,o=Ascertia,c=GB 2011-09-28_17:36:58 (2860) [INFORMATION] Revocation status: NOT_REVOKED 2011-09-28_17:36:58 (2860) [DEBUG] dwEncodingType: 1 dwRevType: 1 cContext: 1 dwFlags: 4 2011-09-28_17:36:58 (2860) [DEBUG] cbSize: 52 cCertStore: not specified rgCertStore: not specified hCrlStore: specified pftTimeToUse (30178779:1284328236): 20110928123652 2011-09-28_17:36:58 (2860) [DEBUG] cbSize: 24 dwIndex: 0 dwError: 0 dwReason: 0 2011-09-28_17:36:58 (2860) [INFORMATION] Target Certificate Subject: cn=Wahaj Khan,ou=Solutions,o=Ascertia,c=GB 2011-09-28_17:36:58 (2860) [DEBUG] Issuer Certificate Subject: cn=Ascertia Internal CA 2,ou=Security,o=Ascertia,c=GB 2011-09-28_17:37:02 (2860) [INFORMATION] Revocation status: NOT_REVOKED 2011-09-28_17:37:28 (1632) [TRACE] Unloading/_ Rahat / / On 09/28/2011 11:02 PM, Carl Wallace wrote: > Are you evaluating the certificate relative to the current time or a > time in the past (or future)? That error only occurs in one location > in the code with the trigger being evaluation of a certificate > relative to a time greater than 24 hours in the past of 24 hours in > the future. You should take a look at the CAPI2 logs to confirm what > value is being evaluated. This error occurs before any OCSP responder > is checked, so its not an issue with being out of sync with the > responder. > > What do you mean by "turn the CRL checks on"? > > From: Rahat Ali Khan <rah...@as... > <mailto:rah...@as...>> > Date: Wed, 28 Sep 2011 20:19:56 +0500 > To: <pki...@li... > <mailto:pki...@li...>> > Subject: [PKIF-users] An error in the log of PKIF OCSP Plugin > > > We are running PKIF OCSP plugin (on 32 bit Windows 2008) to test > with a OCSP responder located on the same machine and we are > having the following issues, > > *- When we turn off the CRL checks off, we are getting entry in > the log which says "Revocation status determination time outside > supported range". > > - Revocation status: NOT_CHECKED > * > But when we turn the CRL checks on, it checks the revocation status. > > Please guide us on this issue. > > Regards, > > Rahat > > ------------------------------------------------------------------------------ > All the data continuously generated in your IT infrastructure > contains a definitive record of customers, application > performance, security threats, fraudulent activity and more. > Splunk takes this data and makes sense of it. Business sense. IT > sense. Common sense. > http://p.sf.net/sfu/splunk-d2dcopy1_______________________________________________ > PKIF-users mailing list PKI...@li... > <mailto:PKI...@li...> > https://lists.sourceforge.net/lists/listinfo/pkif-users > |
From: Carl W. <ca...@re...> - 2011-09-28 18:27:30
|
Are you evaluating the certificate relative to the current time or a time in the past (or future)? That error only occurs in one location in the code with the trigger being evaluation of a certificate relative to a time greater than 24 hours in the past of 24 hours in the future. You should take a look at the CAPI2 logs to confirm what value is being evaluated. This error occurs before any OCSP responder is checked, so its not an issue with being out of sync with the responder. What do you mean by "turn the CRL checks on"? From: Rahat Ali Khan <rah...@as...> Date: Wed, 28 Sep 2011 20:19:56 +0500 To: <pki...@li...> Subject: [PKIF-users] An error in the log of PKIF OCSP Plugin > > > We are running PKIF OCSP plugin (on 32 bit Windows 2008) to test with a OCSP > responder located on the same machine and we are having the following issues, > > - When we turn off the CRL checks off, we are getting entry in the log which > says "Revocation status determination time outside supported range". > > - Revocation status: NOT_CHECKED > > But when we turn the CRL checks on, it checks the revocation status. > > Please guide us on this issue. > > Regards, > > Rahat > > > ------------------------------------------------------------------------------ > All the data continuously generated in your IT infrastructure contains a > definitive record of customers, application performance, security threats, > fraudulent activity and more. Splunk takes this data and makes sense of it. > Business sense. IT sense. Common sense. > http://p.sf.net/sfu/splunk-d2dcopy1___________________________________________ > ____ PKIF-users mailing list PKI...@li... > https://lists.sourceforge.net/lists/listinfo/pkif-users |
From: Rahat A. K. <rah...@as...> - 2011-09-28 15:37:22
|
We are running PKIF OCSP plugin (on 32 bit Windows 2008) to test with a OCSP responder located on the same machine and we are having the following issues, *- When we turn off the CRL checks off, we are getting entry in the log which says "Revocation status determination time outside supported range". - Revocation status: NOT_CHECKED * But when we turn the CRL checks on, it checks the revocation status. Please guide us on this issue. Regards, Rahat |
From: Ian B. <ib...@ne...> - 2011-05-25 13:54:57
|
We've encountered three issues during our testing with Webcullis, PITT and PKIF. The platform we are using is Windows Server 2008 R2 64 bit. 1. Webcullis certificate repositories Webcullis only looks within the SOFTWARE\Microsoft\SystemCertificates registry key. I've published the cross certificates into Active Directory and these are being placed inside SOFTWARE\Microsoft\EnterpriseCertificates. Windows is able to validate the chain, but Webcullis isn't. Shouldn't Webcullis be checking both repositories? 2. Windows Server 2008 CA generated Name Constraints Using PITT, the PKIF validation fails (with no useful information) if the certificate chain includes a Microsoft generated name constraints extension. The CAPI validation succeeds. The Microsoft generated name constraints extension contains blank entries for undefined name types, which is presumably what's causing PKIF to fail. Removing the name constraint fixes the issue. It would be better if either Microsoft name constraints were supported, or PITT outputted an error message indicating the problem in the name constraint, or at least document this potential pitfall in the usage guide. 3. AIA's pointing to self-signed certificates Using PITT, the PKIF validation report we are getting includes some URI_INCORRECT_DATA and URI_WARNING messages on the AIA's. Although the certificate chain validates successfully we would prefer it to validate with no warnings. It appears that both of these are due to self-signed certificates being retrieved through the AIA. The chain is: (TA) Self-signed Trusted Root CA (1) Cross-certificate to Third Party Root CA (2) Cross-certificate to a Sub CA (3) End Entity Certificate (2) has an AIA of ldap://.../...?cACertificate;binary,crossCertificatePair;binary This generates a URI_WARNING because cACertificate contains the self-signed Third Party Root CA. I can't really see any problem with these certificates, so I don't understand why this is a warning. RFC 5280 does not say that AIA's shouldn't include self-signed certificates, and RFC 4158 para 3.5.17 implies that this is valid and the cACertificate can be scored higher than crossCertificatePair by the path builder algorithm. |
From: Mark L. <Mar...@he...> - 2011-04-12 19:45:09
|
I know this should be obvious, but for some reason, I'm not seeing it. I installed the plugin and configured it for OCSP responses. It will be used on a site for DoD CAC. The site already supports CAC, so I'm just trying to add OCSP. Logging is set to DEBUG so I expect to see some logs on every request, but I don't see any logs at all. I'm assuming that running the install script and configuration is enough based upon the instructions, but maybe I'm wrong. Oh, I also tried manually adding the DLLs to the IIS Web Site ISAPI filters but to no avail. What little thing am I missing? Thanks, Mark Loper |
From: Ian B. <ib...@ne...> - 2011-03-25 05:59:44
|
Hi Armen, Thanks for your help - I've got it working! I had to: 1. Add the WSPAC registry key 2. Enable support for 32 bit applications in 64 bit IIS 3. Due to Exchange 2010 being installed on this testbed VM, set precondition="bitness64" on kerbauth.dll, owaauth.dll and airfilter.dll in applicationhost.config Ian. From: Armen Galustyan Sent: Thursday, March 24, 2011 10:41 PM To: Ian Brumby Subject: RE: [PKIF-users] Webcullis on IIS 7.5 Hi Ian, On IIS 7 only the Webcullis IIS 7 module needs to be installed, don’t register or install ISAPI filter. ISAPI filter doesn’t work on IIS7. You can make an a new application pool for Webcullis and make it run as WC_APP_POOL user or have the default app pool run as WC_APP_POOL if there is only one web site and only app pool (default) present. The HKEY_LOCAL_MACHINE\SOFTWARE\Orion Security Solutions\WSPAC registry key should have been created by the installer im not sure why that didn’t happen. It’s a string named WCIniRegKey pointing to the location of webcullis.ini file. If nothing is written to the log then most likely the module was not loaded. Regards, Armen From: Ian Brumby [mailto:ib...@ne...] Sent: Thursday, March 24, 2011 4:11 AM To: pki...@li... Subject: [PKIF-users] Webcullis on IIS 7.5 I tried to install Webcullis 2.1.13 on Windows Server 2008 R2 Enterprise today with no luck. Is Webcullis supported on IIS 7.5? I installed the Webcullis IIS 7 Module, but the installer also installed the ISAPI Filter into IIS. Is this still needed? Or can I delete it? In the wc2_iis7_supplement.pdf it mentions granting access to HKEY_LOCAL_MACHINE\SOFTWARE\Orion Security Solutions\WSPAC but this key doesn't exist after the install. Do I create it or is this an error? In the wc2_iis7_supplement.pdf step 3 is making the Webcullis application pool user run as the WC_APP_POOL user. I've created the user as per steps 1 & 2, but the installer didn't install a Webcullis application pool - am I meant to create one? I expected after the install that every page would be now be blocked since I selected the "Register IIS Filter" option when installing, but nothing is being blocked and nothing is being logged in wspac_log.log or trace_log.log with a LogLevel of 5 so it doesn't look like the module is even being called. I've checked that the module appears as a Native Module under "Modules", the client browser is asking me to choose a client certificate, but pages aren’t being blocked. Any help would be appreciated. Ian. |
From: Ian B. <ib...@ne...> - 2011-03-24 08:11:03
|
I tried to install Webcullis 2.1.13 on Windows Server 2008 R2 Enterprise today with no luck. Is Webcullis supported on IIS 7.5? I installed the Webcullis IIS 7 Module, but the installer also installed the ISAPI Filter into IIS. Is this still needed? Or can I delete it? In the wc2_iis7_supplement.pdf it mentions granting access to HKEY_LOCAL_MACHINE\SOFTWARE\Orion Security Solutions\WSPAC but this key doesn't exist after the install. Do I create it or is this an error? In the wc2_iis7_supplement.pdf step 3 is making the Webcullis application pool user run as the WC_APP_POOL user. I've created the user as per steps 1 & 2, but the installer didn't install a Webcullis application pool - am I meant to create one? I expected after the install that every page would be now be blocked since I selected the "Register IIS Filter" option when installing, but nothing is being blocked and nothing is being logged in wspac_log.log or trace_log.log with a LogLevel of 5 so it doesn't look like the module is even being called. I've checked that the module appears as a Native Module under "Modules", the client browser is asking me to choose a client certificate, but pages aren’t being blocked. Any help would be appreciated. Ian. |
From: Geoff B. <GB...@cy...> - 2010-11-18 16:19:48
|
Since digital signatures do not fare well on sourceforge.net mailing lists, you can find a digitally signed version of this announcement on our website, here: http://pkif.sourceforge.net/2.1.13-announce.eml <http://pkif.sourceforge.net/2.1.12-announce.eml> Any questions can be sent to pki...@li... <mailto:pki...@li...> or pki...@cy... <mailto:pki...@cy...>. Regards, Geoff -------- Original Message -------- Subject: Releases 2.1.13 of PKIF, the OCSP plugin and Webcullis, PITT 1.2.1 are now available for download Date: Thu, 18 Nov 2010 10:25:22 -0500 From: Geoff Beier <gb...@cy...> To: geo...@gm... Source and binaries for PKIF 2.1.13, the OCSP plugin and Webcullis are now available for download from the sourceforge site. Additionally, source and binaries for PITT 1.2.1 are available. This release of the library is primary a maintenance release, but does include the following fix to the SCVP library. This is security-relevant for applications that rely on SCVP: - The use of an ASN.1 open type to induce deferred decoding of some structures was resulting in spurious tags when the PKIF encoded such a structure inside of a CHOICE. The use of deferred decoding where the value appears within a CHOICE has been discontinued. (Change 12000) Full release notes are available here: PKIF core: http://tinyurl.com/pkif2113notes OCSP Plugin: http://tinyurl.com/ocsp2113notes Webcullis: http://tinyurl.com/webcullis2113notes PITT: http://tinyurl.com/pitt121notes All releases can be downloaded here: https://sourceforge.net/projects/pkif/files/PKIF%202.1.13/ PITT can be downloaded from: https://sourceforge.net/projects/pkif/files/PITT/PITT%201.2.1/ The SHA1 hashes of the downloadable files are: d8b081d3990bfef750fec89aefce5173b63829eb JPKIF2_1_13-source.zip 89244a254e1347fa1a53fb3a13bbf9973b48a1ae OcspPlugin2_1_13-source.zip c5227b5442dd200db36023b2ca9c682fd2a5fc21 PITTv1_2_1-src.zip c57bf8d9d93adce281490b2359367900612ecb03 PKIFDocumentation-2.1.13.12024.zip 8e0b02dc2fd96ff15b2aac022467e4744d882025 PKIFv2_1_13-PKIFXML-src.zip 468568747e1948390240a042798074a7c6605c69 PKIFv2_1_13-PKIFXML-srclib-xalan.zip 54606383586a382427f359054e119a2dbbcb6723 PKIFv2_1_13-PKIFXML-srclib-xerces.zip f4afac7674a42c02d51571bd08b2727351908b5b PKIFv2_1_13-PKIFXML-srclib-xmlsec.zip 2e08517d856c08b7894d66b2e92d55ba63a44f06 PKIFv2_1_13-binaries.zip b67815a749996bb32a947989b58e5b8772827a24 PKIFv2_1_13-samples-source.zip a894f33d9cd449b2ac1a7e7b17d06e9f092fe9f4 PKIFv2_1_13-source.zip 5ac09ef4e20b51d5125451dc99fcf3314ad9cfef PKIFv2_1_13-srclib-nss.zip 48f607d851bcc2cf1b5052f1da537ca3be9b4bc0 PKIFv2_1_13-srclib.zip dda86a4807ee1a10cc4a93f3a88212c87d445d04 PKIFv2_1_13.Net-source.zip 555ed8c3c55f171ef7240145b6222143a990ec65 Pittv1_2_1.msi e7bd3d3450ff9e64cc7bbf84e344f71403ca9ee5 PkifOcspPlugin2_1_13.msi 41e13ace3d4187d18aa4acd8b6f44c9cbcf7c4d1 Webcullis-2.1.13.12031-src.zip f2e50c383e31a6fad36d2f09a510db891206462f Webcullis-2.1.13.12031.msi 602b6e2573c3eda333e3fcd26738a5846257e54c webcullis-2.1.13-RHEL5-gcc41-dist.tar.bz2 712a4dfc19fb61c5c99548cee4f07a2c9d6ca525 xml-samples.zip |
From: Geoff B. <GB...@cy...> - 2010-09-03 20:27:33
|
Since digital signatures do not fare well on sourceforge.net mailing lists, you can find a digitally signed version of this announcement on our website, here: http://pkif.sourceforge.net/2.1.12-announce.eml Any questions can be sent to pki...@li... or pki...@cy.... Regards, Geoff -----Original Message----- From: Geoff Beier Subject: PKIF 2.1.12, PITT 1.1.2, Webcullis 2.1.12 and the PKIF OCSP Plugin are available for download Source and binaries for PKIF 2.1.12, the OCSP plugin and Webcullis are now available for download from the sourceforge site. Additionally source and binaries for version 1.1.2 of PITT are available. This release of the library is primarily a maintenance release but does include the following security-relevant changes: - Fixed loop construction that could result in incorretly adding a responder's certificate to the validated responder cache (potentially resulting in the usage of a response when validation of the responder certificate resulted in an error). (Change 11577) - Fixed bug in name constraints processing. Some rfc822 names were not being processed correctly. (Change 11583) - Changed crypto mediator to throw an exception raised by a colleague only if it is the last colleague in the list (to allow others to act) (Change 11696 and 11699) This release of Webcullis includes a new native module for IIS 7 on Windows and improves support for running alongside mod_nss on Linux. PKIF core: http://tinyurl.com/pkif2112notes OCSP Plugin: http://tinyurl.com/ocsp2112notes Webcullis: http://tinyurl.com/webcullis2112notes PITT: http://tinyurl.com/pitt112notes All releases can be downloaded here: https://sourceforge.net/projects/pkif/files/PKIF%202.1.11/ PITT can be downloaded from https://sourceforge.net/projects/pkif/files/PITT/PITT%201.1.1/ The SHA1 hashes of the downloadable files are: c77c090713ba24dee59c7129d534e842b7e14bfc JPKIF2_1_12-source.zip e941192e3cf972f6795e5b0bba2abdb87f73d455 OcspPlugin2_1_12-source.zip f8c5848a4845615d50f80ff307e3c49a05442605 PITTv1_1_2-src.zip f582bdfb34c755ba0d0d21db86bb953c950ffed5 PKIFDocumentation-2.1.12.11707.zip 4b68e6380b09623b5dfd442e728cb1f1304cb1b4 PKIFv2_1_12-PKIFXML-src.zip 211a2e7d74f430ddfbb9efafdc714ffbaee68597 PKIFv2_1_12-PKIFXML-srclib-xalan.zip ebd2df0f4cdec6f216bb167028aaa251a092f159 PKIFv2_1_12-PKIFXML-srclib-xerces.zip 396d326236fe9930fcab341ba00db8c29d58bea8 PKIFv2_1_12-PKIFXML-srclib-xmlsec.zip d1097b7b3bdd52454343428ed3a032eae6e452cf PKIFv2_1_12-binaries.zip d70f0e9d4ded8f0596fe66643d09b5da0a1f44c0 PKIFv2_1_12-samples-source.zip 40b854b2efa7cdd7edb6143959ddd49f36dec190 PKIFv2_1_12-source.zip d5c7964eaae9eb275a520dfa58f560c4bb6b359e PKIFv2_1_12-srclib-nss.zip ddfe50b47b596c0c6322ce4f3aeaeb23c0bbf0c3 PKIFv2_1_12-srclib.zip 8af639b6e809e52327e2799529b4e7deead36d34 PKIFv2_1_12.Net-source.zip 0098c6e0bfdca2ddb58818cb1a1431e31160e0d3 Pittv1_1_2.msi f20ac0bab43f83d0217d412be250959f1589b4e7 PkifOcspPlugin2_1_12.msi 1d4f07cb4f752a6db4d8c8d33dc1d2150a30cdef Webcullis-2.1.12.11709-src.zip 903461302510aaa47bfba212bec57bb9924e5318 Webcullis-2.1.12.11709.msi ae360c5d8a6cf8e1cf8475ddd266c68a73aecd72 webcullis-2.1.12-RHEL5-gcc41-dist.tar.bz2 eeec52a07dfd43359e48b8eab63e30ebb09a633e xml-samples.zip |