cat-users AT lists.geant.org
Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)
List archive
Re: [[cat-users]] CRL Distribution Point in the server certificate points to a non-existing location
Chronological Thread
- From: Stefan Winter <stefan.winter AT restena.lu>
- To: Stefan Meichtry <stefan.meichtry AT ffhs.ch>, "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
- Subject: Re: [[cat-users]] CRL Distribution Point in the server certificate points to a non-existing location
- Date: Thu, 24 Aug 2017 16:58:48 +0200
- Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hi,
on further inspection, our parser for CRLs is /slightly/ mistaken by
adding a space character after the end of the URL.
This has gone unnoticed because most web servers tolerate asking for a
URL ending in space by ignoring it and delivering the real file instead.
Apparently, the web server which hosts /this/ CRL does not and throws a
Bad Request error.
I have improved the parser and the fix is being rolled out to the prod
instance on cat.eduroam.org in the coming days. Once it is in, CRL
checks should work even more reliably than they did so far.
Greetings,
Stefan Winter
Am 24.08.2017 um 14:40 schrieb Stefan Winter:
> Hello,
>
>> I have a problem with the „Realm testing“ for our realm „ffhs.ch
>>
>> The tool tells me: “The extension 'CRL Distribution Point' in the server
>> certificate points to a non-existing location.” (see attached screenshot)
>>
>> The location in the certificate is:
>> http://ca.ffhs.ch/ffhs_eduroam_radius_ca.crl
>>
>> I have tryied this location from internal and external and I got always
>> the CRL.
>>
>> What could be wrong?
>
> RFC5280 section 4.2.1.13. states: "When the HTTP or FTP URI scheme is
> used, the URI MUST point to a single DER encoded CRL as specified in
> [RFC2585]."
>
> The URL you have in the certificate points to a PEM-encoded file, not a
> DER-encoded file.
>
> So, our error message slightly misses the point, granted. But it made
> you look in the right direction, which I guess means it has done its job :-)
>
> Greetings,
>
> Stefan Winter
>
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Attachment:
0x8A39DC66.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
- [[cat-users]] CRL Distribution Point in the server certificate points to a non-existing location, Stefan Meichtry, 08/24/2017
- Re: [[cat-users]] CRL Distribution Point in the server certificate points to a non-existing location, Stefan Winter, 08/24/2017
- Re: [[cat-users]] CRL Distribution Point in the server certificate points to a non-existing location, Stefan Winter, 08/24/2017
- Re: [[cat-users]] CRL Distribution Point in the server certificate points to a non-existing location, Stefan Winter, 08/24/2017
Archive powered by MHonArc 2.6.19.