Thursday, June 1, 2017

OCSP tool to check certificates revocation status

In a  CA chain of trust  you will  probably see something similar to  the following;

That's the chain of trust where the rootCA signs the intermediateCA and the IntermediateCA signs the server certificate request and issues the certificate.

The chain could be long and deep,  but typical it's 3 or 4 links deep. In this example we will check a Entrust Chain which looks like the following;

The tool we will use is the  ocsptool  tool. It simple but does require you to have the  certificate in  the chain path. You will check each level of the  chain bottom to top all the way to the  Root.crt.

Here's a screenshot of Socpuppets doing just this. The ocsp protocol is being used and you can easily find the ocsp URL via  opeenssl

e.g  ( I'm query my webserver certificate to find the  ocsp responder server uri that we will direct the  OCSP query against )

{ responder URL as listed in the  certificates }

Okay let's start checking the chain by using ocsptool and the responder ;

1st   The actual web ServerCertificate to the IntermediateCA that signed that cert

Next, the 2 intermediates CA

Lastly, the rootCa and IntermediateCA

And finally here's how the display would look like if the certificate was actually revoked.

Using the ocsp tool does the followings

  •   ensure that from  the client that ocsp is working
  •   that you have a valid ocsp responder  server for  the query &  within that chain
  •   allows you to validate any part of the  CAchain from the root to the  end-certificate
  •   validate the  Certificate Statues as either good or revoked

What it will not do;

  •   validate the expiration date , that's not a function of the OCSP query that's a function of the  web-client
  •    will not validate that your web-browser client is actually using the OCSP  services

The OCSP is pretty much reliable and has very few weakness or vulnerabilities outside of attack if OCSP stabling is  in use from the server.

I'm curious if one manages to compromise a  webserver  certificate,  and then attack the OCSP  infrastructure so that the OCSP responders can't not reliably  send the response, could  a web end-user mistakenly connect to a  compromised  website? Most browsers fall thru to allow if the OCSP responder does not respond.

You can learn more about ocsp here

 To confirm if your  web-browser is using OCSP, you can  use wireshark/tcpdump and monitor traffic  to a known OCSP responder address. Every https session to a site that uses that  OCSP rsponder should generate a OCSP request.

Ken Felix

Ken   Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=

        /  \

No comments:

Post a Comment