View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001306 | Main CAcert Website | certificate issuing | public | 2014-09-15 14:25 | 2019-04-05 21:33 |
| Reporter | wytze | Assigned To | GuKKDevel | ||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | fix available | Resolution | open | ||
| Product Version | 2014 Q3 | ||||
| Target Version | Fixed in Version | ||||
| Summary | 0001306: expired certificates should not be listed in the CAcert CRLs | ||||
| Description | The size of the current CAcert Class1 CRL (http://crl.cacert.org/revoke.crl) is 6.5 megabyte. Even the CAcert Class3 CRL (http://crl.cacert.org/class3-revoke.crl) is already 0.75 megabyte. This is causing an unacceptable huge amount of CRL download traffic (currently over 130 GB *per day*). In addition, it is causing verification failures for certain clients, e.g. the Microsoft Crypto API, due to the long time required for downloading the CRL. The main cause for the large size of the CRLs is the inclusion of *all* certificates revoked since the start of CAcert (in 2003) in there. As a result, most of the certs listed as revoked have expired a long time ago already, and are thus invalid anyway. There is no RFC requirement to include such expired certs in the CRL; omitting them will result in CRLs of a much more manageable size. | ||||
| Steps To Reproduce | The attached logfile shows an example of failure on the Microsoft platform for the command: certutil -f -verify -urlfetch -t 30 server.crt | ||||
| Additional Information | See also http://social.technet.microsoft.com/Forums/windowsserver/en-US/7e69d0d1-1df2-4830-8d22-f887b6261062/cacert-revocation-server-offline?forum=w7itprosecurity | ||||
| Tags | No tags attached. | ||||
| Reviewed by | |||||
| Test Instructions | |||||
|
|
crl-size-issue.log (5,228 bytes) |
|
|
At test.cacert.org is a first workaround available und /home/GuKKDevel/bug-1306/EliminateExpired.pl. Since the CRL is built from the Database-file index.txt in the directory named in the configfile, above module reads this file and writes them either to the file for eliminated records or to the next index.txt-file, depending on date of revokation and expiration. both are to be younger than 62 days (2 months) in the past. At this stage after that the files index.txt and index.temp.new have to be renamed manually. |
|
|
There is a retention time of three months after the last certificate expired/was revoked before an account can be closed for support. I suggest the same duration for CRL. |
|
|
aggreed so lets make it 100 days |
|
|
I did a fix. appended are two version to choose. EliminateExpired.pl (4,694 bytes) EliminateExpired.V2.pl (7,889 bytes) |
|
|
Current signer configuration can be found at https://svn.cacert.org/CAcert/SystemAdministration/signer/ |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2014-09-15 14:25 | wytze | New Issue | |
| 2014-09-15 14:25 | wytze | File Added: crl-size-issue.log | |
| 2018-05-01 12:42 | dastrath | Assigned To | => GuKKDevel |
| 2018-06-06 10:34 | GuKKDevel | Status | new => fix available |
| 2018-06-06 10:34 | GuKKDevel | Note Added: 0005594 | |
| 2018-06-06 10:40 | dastrath | Note Added: 0005595 | |
| 2018-06-06 10:57 | GuKKDevel | Note Added: 0005597 | |
| 2018-06-06 10:58 | GuKKDevel | Note View State: 0005594: public | |
| 2018-06-06 10:58 | GuKKDevel | Note View State: 0005597: public | |
| 2018-11-01 13:03 | GuKKDevel | File Added: EliminateExpired.pl | |
| 2018-11-01 13:03 | GuKKDevel | File Added: EliminateExpired.V2.pl | |
| 2018-11-01 13:03 | GuKKDevel | Note Added: 0005634 | |
| 2019-04-05 21:33 | Ted | Note Added: 0005791 |
