Welcome! Log In Create A New Profile

Advanced

Estonian ID card CRL

Posted by instigater 
Estonian ID card CRL
September 28, 2016 03:17AM
Hi,
I tried to implement Estonian ID card CRL. Unfortunately I failed with nginx version 1.8.0 and 1.10.1. Is it normal that nginx hang with 100% CPU usage for ar CRL size of 50 MB? I waited 100 minutes and it still had not finished processing one request. If/when nginx will support client sertificate revocation check over OCSP or is there some problem with large CRLs?

Here is the relevant config:

ssl_verify_client on;
ssl_verify_depth 2;

ssl_client_certificate /etc/nginx/ssl/ee/ee_all_20160927.pem;
ssl_crl /etc/nginx/ssl/ee/ee_all_20160927.crl.pem;


I converted CRLs from DER to PEM and then concatenated all 4 actual CRLs into one file. This file turned out to be around 50 MB in size.

https://sk.ee/en/repository/
https://sk.ee/en/repository/CRL/
Re: Estonian ID card CRL
September 28, 2016 03:29AM
Try a smaller subset, the latest nginx/openssl(102j).

---
nginx for Windows http://nginx-win.ecsds.eu/
Re: Estonian ID card CRL
September 28, 2016 07:32AM
Cannot replicate as using just one CRL gives me error 400.

Testing with openssl against largest CRL finishes in 2.2 seconds

$ time openssl verify -crl_check -CAfile ESTEID-SK_2011.pem -CRLfile esteid2011.crl.pem reinis-eid.pem
reinis-eid.pem: C = EE, O = ESTEID (DIGI-ID E-RESIDENT), OU = authentication, CN = "MIKELSONS,REINIS,39303280025", SN = MIKELSONS, GN = REINIS, serialNumber = 39303280025
error 23 at 0 depth lookup:certificate revoked
real 0m2.220s
user 0m1.752s
sys 0m0.464s

Latest unrevoced certificate against latest intermediate with CRL of 1.7MB finishes in 0.06 seconds
$ time openssl verify -crl_check -CAfile ESTEID-SK_2015.pem.crt -CRLfile esteid2015.crl.pem reinis_esteid-sk2015.pem
reinis_esteid-sk2015.pem: OK
real 0m0.062s
user 0m0.056s
sys 0m0.004s



Edited 2 time(s). Last edit at 09/28/2016 07:35AM by instigater.
Re: Estonian ID card CRL
September 28, 2016 08:10AM
Check nginx log files.

---
nginx for Windows http://nginx-win.ecsds.eu/
Re: Estonian ID card CRL
September 28, 2016 08:12AM
Nothing while nginx is checking client certificate and I never waited long enough to nginx finish processing request (I managed to wait 100 minutes one time).

I can give you revoked user certificate (which is on the largest revocation list) to test in your environment.



Edited 1 time(s). Last edit at 09/28/2016 08:14AM by instigater.
Re: Estonian ID card CRL
September 28, 2016 08:27AM
Test it first with the latest dev version 1.11.5.

---
nginx for Windows http://nginx-win.ecsds.eu/
Re: Estonian ID card CRL
September 30, 2016 07:34AM
I managed to build and test with version 1.11.4. It is mixed results. The good news is that it doesn't hang. The bad news is that CRL doesn't work and legit client certificate is being reject. The message is:

2016/09/28 18:40:44 [info] 4410#0: *1 client SSL certificate verify error: (3:unable to get certificate CRL) while reading client request headers, client: ....
Re: Estonian ID card CRL
September 30, 2016 09:56AM
Google it "nginx client SSL certificate verify error"

---
nginx for Windows http://nginx-win.ecsds.eu/
Re: Estonian ID card CRL
October 03, 2016 01:11PM
Thanks for suggestion!

The more I search, the more I think that there is some kind of bug. Other people also are not able to get EID CRL working with nginx.
https://github.com/konstantint/eid-webauth-samples/blame/master/nginx/ssl-site#L11
Re: Estonian ID card CRL
October 03, 2016 03:58PM
You can always file a ticket at https://trac.nginx.org/nginx/report/1?sort=ticket&asc=0&page=1

---
nginx for Windows http://nginx-win.ecsds.eu/
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 119
Record Number of Users: 8 on December 15, 2016
Record Number of Guests: 386 on August 02, 2016
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready