, , , , , , , , , , .
, . .
, .
, , , , .
, , , .
Public Key Infrastructure, , , () .
, . .
, - , , , .
, , – , .
63- « » №795. .
PKI – , , .
CRL
CDP - CRL Distribution Points, - Certificate Revocation List
, . , , .
CRL , «Man in the middle» . .
URL, , , , .
, , , .
.
, TLS TLS RSA HTTPS. , 100% .
?
1. (Redirect)
URL, , , URL.
Java , :
private static final String ATTENTION_CRL_REDIRECT_DETECTED = "Attention CRL redirect detected: ";
private static final String LOCATION = "Location";
URL url = new URL(crlURL);
InputStream crlStream = null;
URLConnection connection = url.openConnection();
String redirect = connection.getHeaderField(LOCATION);
if (redirect != null) {
throw new DownloadCRLException(
ATTENTION_CRL_REDIRECT_DETECTED + crlURL + STRING_DIRECTION + redirect);
}
2. HTTPS CDP
, , .
https://, ldap:// SFTP, URL IP . HTTP FTP ( ) Internet .
HTTPS ?
-, , HTTPS- .
HTTPS-.
, SSL/TLS-.
FTP Active Directory LDAP-.
, CRL .
3. HTTP (redirect) HTTPS
, , 1 2.
?
, , -, , , , Nginx.
, , , , CRL, redirect HTTPS.
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
, URL http://, , , , CRL.
4. User Agent
3.
, Nginx User Agent. , Java HTTP 403 .
, PKIX.
if ($http_user_agent = "Mozilla/5.0 (Linux; Android 4.2.2; SGH-M919 Build/JDQ39) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.169 Mobile Safari/537.22"){
return 403;
}
if ($http_user_agent ~* "^Java"){ return 403; }
, , redirect User Agent.
5. CRL
. CRL , , , .
, , .
, , .
CRL , , .
, - CRL.
, , . , , .
6.
.
, , URL http:// host . , , - .
. IOException: ConnectionTimeOut . CRL. , , ConnectionTimeOut=15000 mSec, , .
CDP , CRL ConnectionTimeOut?
, , .
, , , ? , , ?
.
, , - .
ConnectionTimeOut?
, , , :
- , , , , "No Route to host"
-
,
/ , . ,
?
, .
, , , , .
, , , , IOException Connection Refused: connect, URL.
«» , 5 . .
CRL
RFC 5280 IETF X.509 ITU-T, .
, 8. Security Considerations RFC 5280
When certificates include a cRLDistributionPoints extension with an https URI or similar scheme, circular dependencies can be introduced. The relying party is forced to perform an additional path validation in order to obtain the CRL required to complete the initial path validation! Circular conditions can also be created with an https URI (or similar scheme) in the authorityInfoAccess or subjectInfoAccess extensions. At worst, this situation can create unresolvable dependencies.
CAs SHOULD NOT include URIs that specify https, ldaps, or similar schemes in extensions. CAs that include an https URI in one of these extensions MUST ensure that the server's certificate can be validated without using the information that is pointed to by the URI. Relying parties that choose to validate the server's certificate when obtaining information pointed to by an https URI in the cRLDistributionPoints, authorityInfoAccess, or subjectInfoAccess extensions MUST be prepared for the possibility that this will result in unbounded recursion.
HTTPS LDAP- .
, , .
, HTTPS- , HTTPS-, .
, HTTPS- . . , HTTPS- CRL, .
, .
- OCSP - Online Certificate Status Protocol.
CDP .
OCSP OCSP Server Client.
.
" " 06.04.2011 N 63- 27 2011 . N 795 " ".
, , Subject - L – .
.
:
L , . , 63- №795
.
:
63- 06.04.2011 " "
14.
2. :
2) , ( ) - , - , ;
17.
2. :
2) , , ( ) - , , , , ( ) - - , , , - , , , ( ) - ( , );
27 2011 . № 795
III.
5) stateOrProvinceName ( ).
, . stateOrProvinceName 2.5.4.8;
6) localityName ( ).
, . localityName 2.5.4.7;
7) streetAddress ( , ).
, , , , , , , ( ). streetAddress 2.5.4.9;
: stateOrProvinceName ( ), streetAddress ( , ).
localityName ( ).
locality -
63- №795 , locality - .
, localityName ( 2.5.4.7)
2.2 18 2 17 , , ‑ .
, , , .
«localityName» «subject» , .
, L , .
.
PKI !