|
|
|
IIS, CRL checking, CertCheckMode 4 and RevocationFreshnessTime Metabase Property |
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Présentation : While recently working on a related incident, I noticed that a lot of folks are getting issues with the usage of CertCheckMode 4 MD_CERT_CHECK_REVOCATION_FRESHNESS_TIME in IIS6. This feature is supposed to allow frequent CRL refresh per IIS documentation The client CRL is replaced by the CRL at a remote location, even if the CRL that is cached on the client is valid. The value of the RevocationFreshnessTime Metabase Property determines the frequency of this action. While the above statement is almost true, the documentation is missing an important note the CRL publishing time must match the RevocationFreshnessTime configured. So, if you set a freshness time of 3600 seconds, the CRL must be published at least every 3600 seconds.If the CRL is not fresh enough , it is considered as invalid and you'll immediately get the following error even for valid client certificates HTTP Error 403.13 - Forbidden Client certificate has been revoked on the Web server. The following thread describes a similar issue when directly using CertGetCertificateChain API passing dwRevocationFreshnessTime value If you set the freshness time to only 10m and the CRL that is downloaded from the server does not meet that freshness time, you'll get revocation offline errors. A freshness time of 10 minutes means the CRL must have issued in the past 10 minutes, which will rarely be the case. So, do you mean that setting the freshness time doesn't force a new CRL download and the only thing it does is communicating that the revocation server is offline I don't understand the logic behind all this... correct. There is no way to force a CRL download using CryptoAPI or CAPICOM. The freshness parameter is used to evaluate the freshness of the information that is available. A couple of observations regarding the IIS metabase entries The RevocationFreshnessTime Metabase Property is expressed in seconds The RevocationURLRetrievalTimeout Metabase Property is expressed in milliseconds. This timeout is used to determine the maximum amount of time allowed to fetch the CRL. If a client certificate specified 2 CRL Distribution Points CDPs , the maximum amount of time allowed to fetch each CDP is RevocationURLRetrievalTimeout 2 Because of the constraints listed above, you cannot use CertCheckMode 4 to implement real time CRL checking . You may consider other options like using delta CRLs, shorten CLR expiration or use OSCP. If client certificate mapping is used, a recommended approach consists to use account management and disable the relevant user account. Emmanuel Boersma
Les mots clés de la revue de presse pour cet article : property
Les derniers articles du site "Blog de l'équipe support IIS France French IIS Support Team Blog" :
- Utiliser ProcDump.exe pour monitorer un pic CPU pour le processus W3WP.exe
- MachineKeys sous IIS 7.0 7.5 Windows 2008
- Using FREB to generate a dump on a long running request
- Utiliser FREB pour générer un dump sur une requête longue en exécution
- Le fonctionnement de FREB ou comment investiguer une erreur HTTP sous IIS 7 7.5
- IIS, CRL checking, CertCheckMode 4 and RevocationFreshnessTime Metabase Property
- L activation du mode 32 Bits sous IIS 7.0 7.5 x64 retourne une erreur 500.19 Enable32BitAppOnWin64
- Application de test pour générer des dumps IIS
- IDEVDataCollector
- Générer un fichier de vidage full memory dump avec Windows Error Reporting WER
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.191.75.173 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.191.75.173 to any 80"
- Nous contacter par mail
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
