Difference between CRL check in SSTP VPN and CRL check in OWA and RWA
-
15. června 2012 5:57
Hi
I am working with CDP and CRL's and I am wondering about the difference between CRL check in SSTP VPN and CRL check in OWA and RWA.
They all use the same cert but CRL check with SSTP VPN dont pass and same check with OWA and RWA passess. Also when cert is checked using certutil -verify -urlfetch command, cert seems to be able to pass the check. From output file: "Leaf certificate revocation check passed".
So what exactly does happen in the CRL check with SSTP VPN and what happens in CRL check with OWA or RWA? These processes seems to be different somehow.
Všechny reakce
-
15. června 2012 7:16
The difference is that SSTP strictly checks all CRLs and fails to connect if one of them is not correct (valid). Internet Explorer checks all CRLs too, but passes connection if one of them is invalid.
http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=39
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference: on TechNet wiki- Označen jako odpověď Aiden_CaoMicrosoft Contingent Staff, Moderator 29. června 2012 1:32
-
15. června 2012 9:01
Hi
Thanks for the link! It's just that the blog post says that
""To address this issue Internet Explorer 7 has introduced a setting that enables strict revocation checking. And if revocation checking fails, web browser displays a warning message.""
and my IE9 dont give any warning about the revocation list check failure when OWA or RWA is accessed. Revocation check is on in my IE9. So it implies that revocation check is done and it passess without errors for OWA and RWA.
Also, like I wrote earlier, certutil -verify -urlfetch command passess with that cert.
-
15. června 2012 9:34
> and my IE9 dont give any warning about the revocation list check failure
because strict revocation checking is not enabled by default. You must configure the setting as specified in the article.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference: on TechNet wiki -
15. června 2012 9:42
There is no such reg key in Win7 + IE9.
Instead in my IE9 there are setting for revocation check at Internet Options -> Advanced tab -> Check for server certification revocation.
This setting seem to be on by default.
-
15. června 2012 15:06
You must manually create this registry entry.
> This setting seem to be on by default.
yep. As stated, IE checks SSL certificate for revocation and shows warning message if it is revoked. If revocation information is unavailable or invalid, then the certificate is considered as valid.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference: on TechNet wiki -
18. června 2012 9:39
I made the reg key but it did not effect in any way.
TRANSLATIONS:
oletus = default
arvoa ei ole asetettu = value has not been set
-
18. června 2012 18:14did you restarted the computer? Also, you still don't see warning message, then it may indicate that CRL information is available and up-to-date.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference: on TechNet wiki -
19. června 2012 7:14
Yes, I did restart and cert CRL Distribution Point list only shows LDAP URL but not HTTP URL.
What I have understood is that HTTP URL is needed for revocation list check.
Maybe strict revocation list check is not included anymore in IE9?
-
20. června 2012 18:18
> What I have understood is that HTTP URL is needed for revocation list check.
If LDAP is accessible for clients, it is enough to use this protocol for revocation checking.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference: on TechNet wiki
.png)
