cryptnet(2/2): Treat CRL retrieval errors as non-errors in certificate revocation checking.

Juan Lang juan.lang at gmail.com
Sat Feb 18 21:43:45 CST 2012


This is part two to fix bug 29902.

The trouble starts with the certificate that's being checked.  It
contains the following CRL distribution point:
http://corppki/crl/Microsoft Secure Server Authority(8).crl

Yup, MS put a non-qualified domain name in the certificate.  Beauty.
So obviously retrieving this fails from anywhere, except, presumably,
Microsoft.  I have to assume that native treats such errors as
non-fatal, and indeed, others have shown that appears to be the
case[1].  I'd like to write a test to verify that, but I haven't.
Chalk it up to laziness if you like.

By masking CRL retrieval errors, it's possible for an adversary to
cause a revoked certificate to continue to be used after it's been
revoked, by blocking access to the CRL distribution point.  However,
as others have noted, CRL distribution points aren't necessarily known
for their ability to stay up at all times[2], so CRL checking is
probably not depended on in general to protect against this sort of
attack.  Furthermore, cryptnet still doesn't support OCSP checking, so
it's hard to argue that in practice this makes users much more
vulnerable than they already are.

Hence this change.  I really hope users who are sensitive to attackers
who can carry out SSL/TLS man-in-the-middle attacks don't use Wine for
their sensitive communications:  I wrote this code for my own
interest, not necessarily to protect users' data confidentiality.  If
you are, talk to me in another forum!  I can try to direct you to
better options.
--Juan

[1] http://www.imperialviolet.org/2011/03/18/revocation.html
[1] http://www.imperialviolet.org/2012/02/05/crlsets.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Treat-CRL-retrieval-errors-as-non-errors-in-certific.patch
Type: text/x-patch
Size: 1055 bytes
Desc: not available
URL: <http://www.winehq.org/pipermail/wine-patches/attachments/20120218/bc14237a/attachment.bin>


More information about the wine-patches mailing list