0

I have an IIS server on a 2016 box (IIS v10 it says) which is being used to authenticate a unix server via a certificate. I have confirmed connectivity to the internal CRL server, I can telnet to it, I can download the file, and certutil comes with the below:

certutil -verify -urlfetch removed_for_privacy.cer
Issuer:
    CN=removed_for_privacy
    O=removed_for_privacy
    C=removed_for_privacy
  Name Hash(sha1): 35baf042268dc6dd33c1bcaf8656ab3339a2c06b
  Name Hash(md5): 0688a21d6c00b503fadf374e534604f1
Subject:
    CN=removed_for_privacy
    OU=removed_for_privacy
    O=removed_for_privacy
    L=removed_for_privacy
    S=removed_for_privacy
    C=removed_for_privacy
  Name Hash(sha1): 33db10b0a1303e8f58f12ea85a49e2d5c7956d28
  Name Hash(md5): d2162c234c3d235a530badf869764eeb
Cert Serial Number: 77001e3a38d80b8d528f0f4ed90000001e3a38

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 216 Days, 6 Minutes, 47 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 216 Days, 6 Minutes, 47 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=removed_for_privacy
  NotBefore: 12/03/2021 05:48
  NotAfter: 12/03/2023 05:48
  Subject: CN=removed_for_privacy
  Serial: 77001e3a38d80b8d528f0f4ed90000001e3a38
  Template: 1.3.6.1.4.1.311.21.8.1475819.1923179.2641816.6959893.4978592.187.3822061.5349830
  Cert: c829af51c2f97f9336b150f348a5ed07cccc8326
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] http://removed_for_privacy.crt

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (01fb)" Time: 0
    [0.0] http://removed_for_privacy.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  Verified "OCSP" Time: 0
    [0.0] http://removed_for_privacy/ocsp

  --------------------------------
    CRL (null):
    Issuer: CN=removed_for_privacy
    ThisUpdate: 04/05/2021 14:02
    NextUpdate: 06/05/2021 14:22
    CRL: fbd7722100ef6f4ab7d03c290aca62a85c9c6441
  Issuance[0] = 1.2.826.0.1.1833679.1.1.5.5.5
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=removed_for_privacy
  NotBefore: 07/09/2017 12:47
  NotAfter: 07/09/2025 12:57
  Subject: CN=removed_for_privacy
  Serial: 7700000002404ed3d5c1d87a1b000000000002
  Cert: b0e971dc53ea6a1e0b7d620704f7d16a6091a8d1
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] http://removed_for_privacy.crt

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (05)" Time: 0
    [0.0] http://removed_for_privacy.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
    CRL 05:
    Issuer: CN=removed_for_privacy
    ThisUpdate: 30/09/2020 15:26
    NextUpdate: 30/10/2021 15:46
    CRL: 2e6fdb9adf169af6b8f029a2374a52099538abd3

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=removed_for_privacy
  NotBefore: 31/08/2017 11:56
  NotAfter: 31/08/2037 11:56
  Subject: CN=removed_for_privacy
  Serial: 3bd2d21295368abd4a25a5dfb7c7921f
  Cert: bf8c3c705348b8d931d3853427f7f57bcf575d8d
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------

Exclude leaf cert:
  Chain: da7d7a37bb99548aa5500003e5c9b83407fa115b
Full chain:
  Chain: 7ff925ccc3a676b7ad1b1e9ad8ae0c3fc86cd71e
------------------------------------
Verified Issuance Policies:
    1.2.826.0.1.1833679.1.1.5.5.5
Verified Application Policies:
    1.3.6.1.5.5.7.3.2 Client Authentication
Leaf certificate revocation check passed

IIS returns a solitary 403 13 error, more specifically:

2021-05-04 13:21:38 removed_for_privacy GET removed_for_privacy 443 - removed_for_privacy curl/7.29.0 - 403 13 2148081683 45020

UPDATE:

Works straight away on a 2012 IIS box, both have double escaping disabled. So finger is pointing at v10 of IIS.

AlexF
  • 1
  • 1
  • Are you erroring when checking the crl, or the delta crl? If the latter, is double-escaping allowed in IIS on that site? – Semicolon May 05 '21 at 14:44
  • I'm not sure how to check for double-escaping - that's a security feature to prevent XSS and other style attacks isnt it? It errors when checking the CRL, i dont think there is a delta according to that certutil output? – AlexF May 07 '21 at 09:06

0 Answers0