Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1378797
Description of problem: [RFE] Web UI must check OCSP and CRL during smartcard login Version-Release number of selected component (if applicable): ipa-server-4.4.0-12.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Follow http://www.freeipa.org/page/V4/External_Authentication/Setup to enable smartcard authentication to IPA Web UI 2. The smart card has a revoked certificate 3. Actual results: Login to Web UI is successful Expected results: Login to Web UI should fail Additional info:
triage notes:
mod_nss config needs to be changed -> IPA issue NSSOCSP on
for CRL, a list needs to be loaded to NSS db and updated regularly(mod_revocator might help).
OCSP might be therefore preferred but it might have some performance impact which needs to be tested.
I think you'll also need the ocsp signing cert in the mod_nss NSS database in order to verify the signature of the OCSP response. Additionally when this cert is renewed the mod_nss copy will need to be updated as well.
Metadata Update from @pvoborni: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5
Metadata Update from @mbasti: - Issue close_status updated to: None - Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)
Revocation (and checking whether the certificate is revoked) is vital for Certificate Identity Mapping feature and therefore we should rise priority of this ticket. Without revocation there's no mechanism how to disable compromised material from login into the system.
Metadata Update from @pvomacka: - Issue assigned to pvomacka (was: someone)
Metadata Update from @pvoborni: - Issue priority set to: blocker (was: major)
Metadata Update from @pvoborni: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/729
Seems that this ticket was not updated during push, adding commits:
master:
ipa-4-5:
@pvomacka Does it conclude the ticket? If so please close.
The OCSP check was implemented, CRL check was not. There is another ticket for it: https://pagure.io/freeipa/issue/6954 . So as we have another ticket, I'm closing this one as fixed.
Metadata Update from @pvomacka: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.