#6370 [RFE] Web UI must check OCSP and CRL during smartcard login
Closed: fixed 6 years ago Opened 7 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1378797

Description of problem:
[RFE] Web UI must check OCSP and CRL during smartcard login

Version-Release number of selected component (if applicable):
ipa-server-4.4.0-12.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Follow http://www.freeipa.org/page/V4/External_Authentication/Setup to
enable smartcard authentication to IPA Web UI
2. The smart card has a revoked certificate
3.

Actual results:
Login to Web UI is successful

Expected results:
Login to Web UI should fail

Additional info:

triage notes:

mod_nss config needs to be changed -> IPA issue
NSSOCSP on

for CRL, a list needs to be loaded to NSS db and updated regularly(mod_revocator might help).

OCSP might be therefore preferred but it might have some performance impact which needs to be tested.

I think you'll also need the ocsp signing cert in the mod_nss NSS database in order to verify the signature of the OCSP response. Additionally when this cert is renewed the mod_nss copy will need to be updated as well.

Metadata Update from @pvoborni:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5

7 years ago

Metadata Update from @mbasti:
- Issue close_status updated to: None
- Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)

7 years ago

Revocation (and checking whether the certificate is revoked) is vital for Certificate Identity Mapping feature and therefore we should rise priority of this ticket. Without revocation there's no mechanism how to disable compromised material from login into the system.

Metadata Update from @pvomacka:
- Issue assigned to pvomacka (was: someone)

6 years ago

Metadata Update from @pvoborni:
- Issue priority set to: blocker (was: major)

6 years ago

Metadata Update from @pvoborni:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/729

6 years ago

Seems that this ticket was not updated during push, adding commits:

master:

ipa-4-5:

@pvomacka Does it conclude the ticket? If so please close.

The OCSP check was implemented, CRL check was not. There is another ticket for it: https://pagure.io/freeipa/issue/6954 . So as we have another ticket, I'm closing this one as fixed.

Metadata Update from @pvomacka:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Login to comment on this ticket.

Metadata