1

I'd like to see openssl s_client print or show an error if a server presents a revoked certificate.

Servers I've tested against include:

The command I've used is:

HOST="revoked.badssl.com" ; echo -en "GET / HTTP/1.1\r\nHost: $HOST\r\n\r\n" | openssl s_client -ign_eof -connect $HOST:443 -ign_eof -prexit -security_debug_verbose -crl_download -crl_check_all -debug

I've tried variations of including or not including the command line options, but I get HTML, indicating that s_client sent the GET request and received data when I was hoping it would error out beforehand.

In the revoked.badssl.com case, I've seen an error message "Verification error: unable to get certificate CRL", but I can download those CRLs manually.

Patrick Mevzek
  • 10,995
  • 16
  • 38
  • 54
notatypewriter
  • 11
  • 1
  • Use `-crl_check` instead of `-crl_check_all` which apparently tries to get a CRL for the root (which doesn't actually make sense and may be a bug) but the root (correctly) doesn't have a CRLDP causing a spurious error code. (Interestingly, `openssl verify -crl_check_all -crl_download` on the same chain and root does correctly show 'revoked'.) Note however that `openssl s_client` by default continues with the connection even if cert validation fails; to avoid this add `-verify_return_error`. – dave_thompson_085 Feb 10 '23 at 00:26
  • @dave_thompson_085: How can you tell that s_client is trying to get a CRL for the root cert? – President James K. Polk Feb 10 '23 at 01:24
  • Using the Digicert domain, I can confirm that behavior using `openssl verify` (after `cat`ing both the root cert and intermediate cert into `chain.pem`): `openssl verify -CAfile chain.pem -crl_check_all -crl_download revoked.crt` shows revoked. It also shows the same revoked when using `-crl_check`. Now to try with various arguments to `s_client` – notatypewriter Feb 10 '23 at 03:18
  • Interesting... `HOST="revoked.badssl.com" ; echo -en "GET / HTTP/1.1\r\nHost: $HOST\r\n\r\n" | openssl s_client -ign_eof -connect $HOST:443 -ign_eof -prexit -security_debug_verbose -crl_download -crl_check_all -debug -verify_return_error -CAfile DigitCertTLSECCP384RootG5.crt.pem` showed certificate revoked. `s_client` still sent the GET request, but scrolling up past that definitely shows OpenSSL detecting the certificate being revoked. However, leaving off the `-CAfile` argument shows "unable to get local issuer certificate". I was assuming that OpenSSL would pull my local CA cert store. – notatypewriter Feb 10 '23 at 03:31
  • Hah, just checked my local CA store at `/etc/ssl/certs` and none of the readable filenames indicate that the DigiCert G5 cert is in that store. Switching to checking against `global-root-g3-revoked.chain-demos.digicert.com` and omitting the `-CAfile` argument shows certificate revoked. The GET request and response still goes through, however, even with the `-verify_return_error`. – notatypewriter Feb 10 '23 at 03:47
  • nota: because the 'couldn't get CRL' code occurred in the callback log entry for the root cert (depth=2). I do get the HTTP request/response suppressed by `-verify_return_error` (when the error occurs, of course) on every OpenSSL I have; what version do you have, and how or where was it built (i.e. did you build it or did you install a package, and from where)? – dave_thompson_085 Feb 12 '23 at 04:40
  • I'm using OpenSSL 1.1.1 provided by Ubuntu 18.04 – notatypewriter Feb 23 '23 at 03:58

0 Answers0