Jump to: navigation, search

CVE-2012-4546


CVE-2012-4546: Incorrect CRLs publishing

Summary

It was found that the current default configuration of IPA servers did not publish correct CRLs (Certificate Revocation Lists). The default configuration specifies that every replica is to generate its own CRL, however this can result in inconsistencies in the CRL contents provided to clients from different Identity Management replicas. More specifically, if a certificate is revoked on one Identity Management replica, it will not show up on another Identity Management replica.

To avoid this inconsistency, the solution is to configure CRL generation to only take place on one Identity Management server. To do so, the CRL configuration must be changed on all Identity Management servers.

Affected Versions

All 2.x and 3.x versions using multiple CA replicas

Impact

Low

Acknowledgements

The bug was found by the FreeIPA team during an internal review.

Upgrade Instructions

Upgrading to the latest 3.0 or 3.1 FreeIPA versions should be sufficient to resolve the issue.

Manual Instructions

To manually resolve the problem the CRL configuration must be changed on all Identity Management servers. One IPA master needs to be picked as the CRL generator. It does not matter which master, and the following procedure should be used:

On the non-CRL generating masters:

1. Configure the clones to point to the CRL generator to get the CRL:

1a. Edit /etc/httpd/conf.d/ipa-pki-proxy.conf 1b. Add "|^/ca/ee/ca/getCRL" to the end of the first LocationMatch. After editing, the first LocationMatch entry in ipa-pki-proxy.conf should look like this:

<LocationMatch 
"^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL">

1c. At the end of this file add:

RewriteRule ^/ipa/crl/MasterCRL.bin 
https://$FQDN/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL 
[L,R=301,NC]

1d. Replace $FQDN with the hostname of the IPA master picked as the CRL generator. 1e. The httpd service will need to be restarted after making this change:

# service httpd restart

2. Update the CRL generator to include certificates revoked from other masters in its CRL:

2a. Edit the CA configuration file in /var/lib/pki-ca/conf/CS.cfg: These two settings should be true by default:

ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCRLUpdates=true

2b. Set this directive to true (This can be appended to the end of CS.cfg):

ca.listenToCloneModifications=true

2c. The CA will need to be restarted after making this change:

# service pki-cad restart

It may be noted that this configuration creates a single point of failure. If the CRL generator server goes down then the other IPA masters will not be able to retrieve a CRL and one will not be generated. In this case one would need to choose a new master as the CRL generator and perform the steps above. It is recommended that a DNS CNAME be created to refer to the server that provides the CRL (with a relatively short TTL). This will provide flexibility in case the CRL generator needs to be changed, and without reconfiguring any clients that need to retrieve the CRL.

Patches

A patch to resolve this issue is available through our git repository: http://git.fedorahosted.org/cgit/freeipa.git/commit/?id=392097f20673708a684da168aec302da7ccda9a6