[Gpg4win-devel] Dirmngr and CRL publishing via HTTPS
Dr. Peter Voigt
pvoigt at uos.de
Fri Jul 26 18:20:03 CEST 2013
To be honest: Dirmngr is an S/MIME component that I've been neglecting
for a long time now. Reason is rather simple: The most important
security components for me making use of CRL are my FreeRadius and my
OpenVPN server. And both need to have their up to date copy of the CRL
of my Root CA. This is necessary to reject revoked client certificates.
Inspired by some posts on the list I've started yesterday to get
familiar with dirmngr and the operating system specific differences of
this component when running under Windows 7 and Linux.
The crlDistributionPoints attribute of my Root CA points to an HTTP
location. As my PKI is up now for several years I obviously forgot about
why I've once decided to use an HTTP URL. As my web server provides
access to some personal areas with password protection for friends and
colleagues I've decided years ago to use Apache's mod_rewrite to
redirect all HTTP requests to HTTPS. But dirmngr is obviously unable to
fetch the CRL via HTTPS. Log message is not clear to me:
...
too many redirections
crl_fetch via DP failed: Keine Daten
command ISVALID failed: Keine Daten
...
In a first attempt I've provided an exception in mod_rewrite for my
Root CA CRL URL: Immediately dirmngr successfully imported my CRL via
HTTP.
Does anybody know, if CRL publishing via HTTPS is forbidden at all or
does the above error message point to another issue?
Regards,
Peter
More information about the Gpg4win-devel
mailing list