openca-users

Re: [Openca-Users] [Openca-ocspd] Cisco Router + OCSPD-2

[Massimiliano P. <dir...@op...>]

Hi  Joachim,

there should be an option in etc/ocspd/ocspd.xml file. In particular
search for the digestAlgorithm option. Is that sha1 ? If that is the
case and you needed to change the code in libpki, than there's an
error there that I need to fix.

Just to summarize: you are using a RSA+SHA256 as the OCSP responder's
certificate ?

If that is the case, the hash algorithm used for signatures (not the
OCSP hashing algorithm) when signing the response is taken from the
server's certificate - that might be the cause for the sha256. I don't
understand why the CISCO router would not be able to validate that!
SHA1 is not supposed to be used for signatures anymore!!!

For the certificate, I am not sure what the issue might be. I guess
that you already checked the validity period of the certificate.
Another thing you might try to check is you forgot the OCSPSigning
option in the extendedKeyUsage.

Cheers,
Max

On 06/15/2011 04:19 AM, Joachim Astel wrote:
> Hi Massimiliano,
>
> unfortunately that isn't the case. With OCSP-1 sha256 worked fine
> for the rootCA and cisco-certs so far, only OCSP-2 makes trouble.
> So I'm just trying to track down why it doesn't work with the new
> daemon anymore.
>
> As I wrote yesterday, i commented out "SHA256" as a switch-case:
> in libpki-0.6.5/src/openssl/pki_algor.c, so my reponses were
> created with SHA1 to make adequate output as OCSP-1 did for the
> answer certificates in a first step.
>
> My first question is: is there a well defined way to configure this by
> .xml configurations instead of patching the source code to make
> SHA1 ocsp answers instead of SHA256 ones (like it is default now)?
>
> As a result, using SHA1 instead of SHA256 in my answer strings,
> the "message digest algorithms not supported" error on the Cisco
> router has gone away now.
>
> But now i'm in the next level of the adventure. The Cisco router
> still shows another error after that:
>
> Jun 15 07:00:31.266: CRYPTO_PKI: OCSP response status - successful.
> Jun 15 07:00:31.274: CRYPTO_PKI: Validating OCSP responder certificate
> Jun 15 07:00:31.278: CRYPTO_PKI: OCSP Responder cert doesn't need rev check
> Jun 15 07:00:31.278: CRYPTO_PKI: response signed by a delegated responder
> Jun 15 07:00:31.278: CRYPTO_PKI: Certificate not validated
> Jun 15 07:00:31.278: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 10.1.2.3 is bad: certificate invalid
>
> My second question: do you know what "Certificate not validated" says to me?
> Do I use the wrong signing CA or something like that?
>
> Greetings
>    Achim
>

-- 

http://member.acm.org/~openca/

Massimiliano Pala, Ph.D.
Director, OpenCA Labs
Professor, NYU Poly

Re: [Openca-Users] [Openca-ocspd] Cisco Router + OCSPD-2

[Joachim A. <ac...@as...>]

Hi Carlos,

> "Cisco IOS SHA-2 Support for PKI" (that is SHA-256, SHA-384, SHA-512)
> was introduced mainly in IOS 12.4(15)T in almost all platforms.

It's right, Cisco can handle certificates with >= SHA-256, of course,
since 12.4(15)T.

BUT: we've tracked down that OCSP daemon answer which is signed, may not
be signed with a hash-size > SHA-1, even with IOS 12.4(15)T or IOS 15.
When the OCSP answer is signed with SHA-256 from the OCSP daemon,
the cisco router simply responds with:
   "E_DIGEST_ALG_NOT_SUPPORTED : message digest algorithms not supported"

But the main topic on the mailing list is: how can the OCSP-2 workaround
this by making it possible to send an OCSP answer with SHA-1 again, like
OCSP-1 did it by default. I've just workarounded it meanwhile by patching
the source code and removing the SHA256 case as a possible OCSP answer.

Greetings
    -Achim

Re: [Openca-Users] [Openca-ocspd] Cisco Router + OCSPD-2

[Carlos V. <car...@cn...>]

Hello,

> BUT: we've tracked down that OCSP daemon answer which is signed, may not
> be signed with a hash-size > SHA-1, even with IOS 12.4(15)T or IOS 15.
> When the OCSP answer is signed with SHA-256 from the OCSP daemon,
> the cisco router simply responds with:
>    "E_DIGEST_ALG_NOT_SUPPORTED : message digest algorithms not supported"

I really haven't tried it but I have myself filed some bugs in Cisco in
the past about this OCSP part. It seems they use some old code from RSA
that is buggy only for this part. I remember last time I had to file a
bug because this code was not sending Host header in HTTP request
causing OCSP not working when using vhosts, like using an apache reverse
proxy.

Right now I haven't a setup using OCSP with SHA-256, although planned in
the future. If you have a test setup deployed let me know in private,
maybe I could open a bug in Cisco to solve this there. Although a
workaround should be needed.

Regards,
Carlos Velasco


*************** AVISO LEGAL ***************
Este mensaje va dirigido, de manera exclusiva, a su destinatario y
contiene información confidencial y sujeta al secreto profesional,
cuya divulgación no está permitida por la ley. En caso de haber
recibido este mensaje por error, le rogamos que, de forma inmediata,
nos lo comunique mediante correo electrónico remitido a nuestra
atención o a través del teléfono (+34 914531200) y proceda a su
eliminación, así como a la de cualquier documento adjunto al mismo.
Asimismo, le comunicamos que la distribución, copia o utilización de
este mensaje, o de cualquier documento adjunto al mismo, cualquiera
que fuera su finalidad, están prohibidas por la ley. Le informamos,
como destinatario de este mensaje, que el correo electrónico y las
comunicaciones por medio de Internet no permiten asegurar ni
garantizar la confidencialidad de los mensajes transmitidos, así como
tampoco su integridad o su correcta recepción, por lo que el CNIC no
asume responsabilidad alguna por tales circunstancias. Si no
consintiese la utilización del correo electrónico o de las
comunicaciones vía Internet le rogamos nos lo comunique y ponga en
nuestro conocimiento de manera inmediata.

*************** LEGAL NOTICE **************
This message is intended exclusively for the person to whom it is
addressed and contains privileged and confidential information
protected from disclosure by law. If you are not the addressee
indicated in this message, you should immediately delete it and any
attachments and notify the sender by reply e-mail or by phone
(+34 914531200). In such case, you are hereby notified that any
dissemination, distribution, copying or use of this message or any
attachments, for any purpose, is strictly prohibited by law. We
hereby inform you, as addressee of this message, that e-mail and
Internet do not guarantee the confidentiality, nor the completeness
or proper reception of the messages sent and, thus, CNIC does not
assume any liability for those circumstances. Should you not agree
to the use of e-mail or to communications via Internet, you are
kindly requested to notify us immediately.

Re: [Openca-Users] [Openca-ocspd] Cisco Router + OCSPD-2

[Massimiliano P. <dir...@op...>]

Hi Carlos,

if you could file a bug report, that would be great. On my side, I am
thinking about adding an option in the OCSPD configuration file that
will force the signatures to use sha1 also when the OCSPD certificate
is signed with sha256. I think that would solve, temporarily the problem.

Cheers,
Max

On 06/16/2011 12:23 PM, Carlos Velasco wrote:
> Hello,
>
>> BUT: we've tracked down that OCSP daemon answer which is signed, may not
>> be signed with a hash-size>  SHA-1, even with IOS 12.4(15)T or IOS 15.
>> When the OCSP answer is signed with SHA-256 from the OCSP daemon,
>> the cisco router simply responds with:
>>     "E_DIGEST_ALG_NOT_SUPPORTED : message digest algorithms not supported"
>
> I really haven't tried it but I have myself filed some bugs in Cisco in
> the past about this OCSP part. It seems they use some old code from RSA
> that is buggy only for this part. I remember last time I had to file a
> bug because this code was not sending Host header in HTTP request
> causing OCSP not working when using vhosts, like using an apache reverse
> proxy.
>
> Right now I haven't a setup using OCSP with SHA-256, although planned in
> the future. If you have a test setup deployed let me know in private,
> maybe I could open a bug in Cisco to solve this there. Although a
> workaround should be needed.
>
> Regards,
> Carlos Velasco

-- 

http://member.acm.org/~openca/

Massimiliano Pala, Ph.D.
Director, OpenCA Labs
Professor, NYU Poly

Re: [Openca-Users] [Openca-ocspd] Cisco Router + OCSPD-2

[Carlos V. <car...@cn...>]

Hello Max,

I really haven't had any time to setup a new OpenCA to test the problem
with the Cisco and submit a SR in Cisco TAC. Pretty busy lately :(
If you or anyone have a test or working CA with SCEP I could test
requesting and installing certificate through SCEP and then validating
the certificate through OCSP.

Regards,
Carlos Velasco


*************** AVISO LEGAL ***************
Este mensaje va dirigido, de manera exclusiva, a su destinatario y
contiene información confidencial y sujeta al secreto profesional,
cuya divulgación no está permitida por la ley. En caso de haber
recibido este mensaje por error, le rogamos que, de forma inmediata,
nos lo comunique mediante correo electrónico remitido a nuestra
atención o a través del teléfono (+34 914531200) y proceda a su
eliminación, así como a la de cualquier documento adjunto al mismo.
Asimismo, le comunicamos que la distribución, copia o utilización de
este mensaje, o de cualquier documento adjunto al mismo, cualquiera
que fuera su finalidad, están prohibidas por la ley. Le informamos,
como destinatario de este mensaje, que el correo electrónico y las
comunicaciones por medio de Internet no permiten asegurar ni
garantizar la confidencialidad de los mensajes transmitidos, así como
tampoco su integridad o su correcta recepción, por lo que el CNIC no
asume responsabilidad alguna por tales circunstancias. Si no
consintiese la utilización del correo electrónico o de las
comunicaciones vía Internet le rogamos nos lo comunique y ponga en
nuestro conocimiento de manera inmediata.

*************** LEGAL NOTICE **************
This message is intended exclusively for the person to whom it is
addressed and contains privileged and confidential information
protected from disclosure by law. If you are not the addressee
indicated in this message, you should immediately delete it and any
attachments and notify the sender by reply e-mail or by phone
(+34 914531200). In such case, you are hereby notified that any
dissemination, distribution, copying or use of this message or any
attachments, for any purpose, is strictly prohibited by law. We
hereby inform you, as addressee of this message, that e-mail and
Internet do not guarantee the confidentiality, nor the completeness
or proper reception of the messages sent and, thus, CNIC does not
assume any liability for those circumstances. Should you not agree
to the use of e-mail or to communications via Internet, you are
kindly requested to notify us immediately.

Re: [Openca-Users] [Openca-ocspd] Cisco Router + OCSPD-2

[Joachim A. <ac...@as...>]

I wanted to say hallo to the mailing-list with an update:

1.

OCSP2 ist now working with Cisco routers (with its RSA BSAFE implementation
for cerfiticate handling).

You just have to remove the "validity" configuration within ocspd.xml


2.

Now it works quite well, but there still seems a memory leak,

OCSPD core dumps after some million OCSP requests, showing:
  *** glibc detected *** /usr/local/ocspd/sbin/ocspd: free(): invalid pointer: 0x00000000xxxxxxxx ***

But responses are as they are expected. This is much better than with OCSP1.
Very much thanks to Max. :-)

Greetings
   -Achim

Re: [Openca-Users] [Openca-ocspd] Cisco Router + OCSPD-2

[Massimiliano P. <dir...@op...>]

Hi Joachim,

could you run the OCSPD in a debugger:

   $ cd /opt/ocspd <---- I assume the OCSP is installed here
   $ sudo gdb sbin/ocspd
   gdb> set args -c etc/ocspd/ocspd.xml
   gdb> run
   ...

bombard the OCSPD with a lot of requests... and when the OCSPD dies, do
the following:

   $ backtrace

this will print out the stack at the moment of the failure - this should
help me in finding where the issue is.

Let me know,
Max


On 07/07/2011 07:21 AM, Joachim Astel wrote:
>    *** glibc detected *** /usr/local/ocspd/sbin/ocspd: free(): invalid pointer: 0x00000000xxxxxxxx ***

-- 

http://member.acm.org/~openca/

Massimiliano Pala, Ph.D.
Director, OpenCA Labs
Professor, NYU Poly

Re: [Openca-Users] [Openca-ocspd] Cisco Router + OCSPD-2

[Joachim A. <ac...@as...>]

Hi Massimiliano,

thanks for debugging request, here's the backtrace.
I hope it helps. :-)

Greetings
    -Achim

Massimiliano Pala writes:
> Hi Joachim,
> 
> could you run the OCSPD in a debugger:
> 
>   $ cd /opt/ocspd <---- I assume the OCSP is installed here
>   $ sudo gdb sbin/ocspd
>   gdb> set args -c etc/ocspd/ocspd.xml
>   gdb> run
>   ...
> 
> bombard the OCSPD with a lot of requests... and when the OCSPD dies, do
> the following:
> 
>   $ backtrace
> 
> this will print out the stack at the moment of the failure - this should
> help me in finding where the issue is.
> 
> Let me know,
> Max
> 
> 
> On 07/07/2011 07:21 AM, Joachim Astel wrote:
> >   *** glibc detected *** /usr/local/ocspd/sbin/ocspd: free(): invalid pointer: 0x00000000xxxxxxxx ***
> 
> -- 
> 
> http://member.acm.org/~openca/
> 
> Massimiliano Pala, Ph.D.
> Director, OpenCA Labs
> Professor, NYU Poly
> 



> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security 
> threats, fraudulent activity, and more. Splunk takes this data and makes 
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2

> _______________________________________________
> Openca-Users mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] [Openca-ocspd] Cisco Router + OCSPD-2

[Carlos V. <car...@ni...>]

> Hi  Joachim,
> 
> there should be an option in etc/ocspd/ocspd.xml file. In particular
> search for the digestAlgorithm option. Is that sha1 ? If that is the
> case and you needed to change the code in libpki, than there's an
> error there that I need to fix.
> 
> Just to summarize: you are using a RSA+SHA256 as the OCSP responder's
> certificate ?
> 
> If that is the case, the hash algorithm used for signatures (not the
> OCSP hashing algorithm) when signing the response is taken from the
> server's certificate - that might be the cause for the sha256. I don't
> understand why the CISCO router would not be able to validate that!
> SHA1 is not supposed to be used for signatures anymore!!!
> 
> For the certificate, I am not sure what the issue might be. I guess
> that you already checked the validity period of the certificate.
> Another thing you might try to check is you forgot the OCSPSigning
> option in the extendedKeyUsage.
> 
> Cheers,
> Max

Hello,

I finally manage to install new OpenCA 1.1.1 and OCSPd 2.1.0 and test
OCSP with Cisco devices.

Verified, by default OCSPd 2.1.0 doesn't work with Cisco cause sha256:

../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/revoke/ocsp/ocsp.c(2717)
: E_DIGEST_ALG_NOT_SUPPORTED : message digest algorithms not supported


But Max, my digestAlgorithm option is sha1:

<!-- Digest Algorithm to be used when building responses, currently
     the standard specifies SHA1 as the only supported algorithm -->
<pki:digestAlgorithm>sha1</pki:digestAlgorithm>


And also I modified the OCSP Server extfile to generate the OCSP
certificate with sha1:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            f0:cc:8c:0c:2a:8c:26:86:e9:aa
    Signature Algorithm: sha1WithRSAEncryption


However OCSPd is still using sha256 when signing the response:

[pki_ocsp_resp.c:357]::DEBUG::OCSP RESP SIGN TK::Using Algorithm
sha256WithRSAEncryption

Don't know how to workaround this.


Another thing, I was thinking about opening a Cisco TAC Case now about
this issue, but this comment is in the ocspd.conf:
<!-- Digest Algorithm to be used when building responses, currently
     the standard specifies SHA1 as the only supported algorithm -->

Is OCSP supposed to work with sha256 at all?

Regards,
Carlos Velasco

Re: [Openca-Users] [Openca-ocspd] Cisco Router + OCSPD-2

[Carlos V. <car...@ni...>]

> Verified, by default OCSPd 2.1.0 doesn't work with Cisco cause sha256:
> 
> ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/revoke/ocsp/ocsp.c(2717)
> : E_DIGEST_ALG_NOT_SUPPORTED : message digest algorithms not supported
> 
> However OCSPd is still using sha256 when signing the response:
> 
> [pki_ocsp_resp.c:357]::DEBUG::OCSP RESP SIGN TK::Using Algorithm
> sha256WithRSAEncryption
> 
> Don't know how to workaround this.

Replying to myself..

Attached is a dirty (ugly) patch to OCSP 2.1.1 source code to force
reply in sha1 for OCSPd. Better than patching libpki, but not a final
solution.

Looked into OCSP RFC and it seems that sha1 and sha256 SHALL be
supported so I will try to open a TAC Case with Cisco to see it working
in IOS.


Apart of this patch all seems to be working fine in the OCSP with Cisco.
Will be making more tests soon.

Re: [Openca-Users] [Openca-ocspd] Cisco Router + OCSPD-2

[Carlos V. <car...@ni...>]

> Apart of this patch all seems to be working fine in the OCSP with Cisco.
> Will be making more tests soon.

I got tired of always seeing "CORE::Connection from [0.0.0.0]", so here
is another patch to show the correct address of connections.

Code explanation:
As connection is handled now by libpki, the function there only returns
fd and not a proper socket. So OCSPd code must derive socket from fd
using getpeername function.



Also I am looking for another problem in code where a fragmented HTTP
OCSP request from a Cisco router is getting this in OCSPd:

ocspd[5077]: [request.c:45]::ERR::Network Error while reading Request!
ocspd[5077]: [threads.c:79]::ERR::Can not parse REQ

Re: [Openca-Users] [Openca-ocspd] Cisco Router + OCSPD-2

[Carlos V. <car...@ni...>]

>> Apart of this patch all seems to be working fine in the OCSP with
>> Cisco. Will be making more tests soon.

About sha2 support in Cisco IOS OCSP implementation I have contacted
Cisco TAC and opened bug id:
CSCtz40028

However for now it is a bug of low priority (sigh). If anyone reading
this list has active support contract with Cisco maybe we can push
together. I will get in contact with my Cisco AM to engage him into this
to raise priority.



Also attached is a patch for CRL autoreload in OCSP, it was not working
at all due to some typos in the configuration part.



More important... there are memory leaks in OCSP as Joachim Astel told.
I managed to reproduce the issue bombarding the OCSPd with OpenSSL OCSP
checks.

See RSS field:

  PID TTY      STAT   TIME  MAJFL   TRS   DRS   RSS %MEM COMMAND
13698 ?        SNl    0:45      0    44 790895 7104  0.1
/usr/sbin/ocspd -c /etc/ocspd/ocspd.xml -d -v


After some time bombarding:

  PID TTY      STAT   TIME  MAJFL   TRS   DRS   RSS %MEM COMMAND
13698 ?        SNl    9:57      0    44 790895 63072  1.5
/usr/sbin/ocspd -c /etc/ocspd/ocspd.xml -d -v


I have managed to run OCSPd through Valgrind in an Ubuntu VM and see a
lot of memory leaks. Attached is Valgrind log.

Not an expert, but I think this is the most important:

==20277== 323,796 (2,904 direct, 320,892 indirect) bytes in 121 blocks
are definitely lost in loss record 993 of 993
==20277==    at 0x4C28F9F: malloc (vg_replace_malloc.c:236)
==20277==    by 0x4E59CCC: PKI_Malloc (pki_mem.c:255)
==20277==    by 0x4E59626: PKI_MEM_new_null (pki_mem.c:17)
==20277==    by 0x4E5A331: PKI_MEM_new_bio (pki_mem.c:486)
==20277==    by 0x4E72B90: PKI_X509_put_mem_value (pki_x509_mem.c:310)
==20277==    by 0x4E72813: PKI_X509_put_mem (pki_x509_mem.c:216)
==20277==    by 0x4E7576A: PKI_X509_OCSP_REQ_put_mem (pki_ocsp_req_io.c:287)
==20277==    by 0x405E0C: ocspd_resp_send_socket (response.c:370)
==20277==    by 0x404D1E: thread_main (threads.c:107)
==20277==    by 0x50CEEFB: start_thread (pthread_create.c:304)
==20277==    by 0x577659C: clone (clone.S:112)

Regards

Re: [Openca-Users] [Openca-ocspd] Cisco Router + OCSPD-2

[Carlos V. <car...@ni...>]

> More important... there are memory leaks in OCSP as Joachim Astel
> told. I managed to reproduce the issue bombarding the OCSPd with
> OpenSSL OCSP checks.

Finally... the patch for the memory leak problem.
All OCSP replies were leaking. Added the free function.

Re: [Openca-Users] [Openca-ocspd] Cisco Router + OCSPD-2

[Carlos V. <car...@ni...>]

>> More important... there are memory leaks in OCSP as Joachim Astel
>> told. I managed to reproduce the issue bombarding the OCSPd with
>> OpenSSL OCSP checks.

Here is the full collection of patches (latest versions) for both libpki
0.6.7 and openca-ocspd 2.1.1.

They fix memory leaks and some functionality that was not working.
Also added a "buffered response" to OCSP replies to improve number of
network packets sent.

I think they are *A MUST* to have all this working at all, so please
Max, look at it to see if they can be merged into upstream.

Re: [Openca-Users] [Openca-ocspd] Cisco Router + OCSPD-2

[Carlos V. <car...@cn...>]

Hello,

I can give some info here.

> I don't
> understand why the CISCO router would not be able to validate that!
> SHA1 is not supposed to be used for signatures anymore!!!

It depends on the IOS version in the Cisco.
"Cisco IOS SHA-2 Support for PKI" (that is SHA-256, SHA-384, SHA-512)
was introduced mainly in IOS 12.4(15)T in almost all platforms.

Regards,
Carlos Velasco


*************** AVISO LEGAL ***************
Este mensaje va dirigido, de manera exclusiva, a su destinatario y
contiene información confidencial y sujeta al secreto profesional,
cuya divulgación no está permitida por la ley. En caso de haber
recibido este mensaje por error, le rogamos que, de forma inmediata,
nos lo comunique mediante correo electrónico remitido a nuestra
atención o a través del teléfono (+34 914531200) y proceda a su
eliminación, así como a la de cualquier documento adjunto al mismo.
Asimismo, le comunicamos que la distribución, copia o utilización de
este mensaje, o de cualquier documento adjunto al mismo, cualquiera
que fuera su finalidad, están prohibidas por la ley. Le informamos,
como destinatario de este mensaje, que el correo electrónico y las
comunicaciones por medio de Internet no permiten asegurar ni
garantizar la confidencialidad de los mensajes transmitidos, así como
tampoco su integridad o su correcta recepción, por lo que el CNIC no
asume responsabilidad alguna por tales circunstancias. Si no
consintiese la utilización del correo electrónico o de las
comunicaciones vía Internet le rogamos nos lo comunique y ponga en
nuestro conocimiento de manera inmediata.

*************** LEGAL NOTICE **************
This message is intended exclusively for the person to whom it is
addressed and contains privileged and confidential information
protected from disclosure by law. If you are not the addressee
indicated in this message, you should immediately delete it and any
attachments and notify the sender by reply e-mail or by phone
(+34 914531200). In such case, you are hereby notified that any
dissemination, distribution, copying or use of this message or any
attachments, for any purpose, is strictly prohibited by law. We
hereby inform you, as addressee of this message, that e-mail and
Internet do not guarantee the confidentiality, nor the completeness
or proper reception of the messages sent and, thus, CNIC does not
assume any liability for those circumstances. Should you not agree
to the use of e-mail or to communications via Internet, you are
kindly requested to notify us immediately.