| 1 |
============================================================================== |
| 2 |
CHANGES to fetch-crl - the Certificate Revocation List retrieval tool |
| 3 |
============================================================================== |
| 4 |
The fetch-crl utility will retrieve certificate revocation lists (CRLs) for |
| 5 |
a set of installed trust anchors, based on crl_url files or IGTF-style info |
| 6 |
files. It will install these for use with OpenSSL, NSS or third-party tools. |
| 7 |
|
| 8 |
Changes in 3.0.22-1 |
| 9 |
---------------------- |
| 10 |
* fix race condition in CRL file re-writing for cases where the CRL directory |
| 11 |
itself is writable (thanks to Arjen Nienhuis) |
| 12 |
|
| 13 |
Changes in 3.0.20-1 |
| 14 |
---------------------- |
| 15 |
* network connection failure messages are pre-filtered and only primary |
| 16 |
status lines shown in logs for download and head requests (bugzilla #29) |
| 17 |
|
| 18 |
Changes in 3.0.19-1 |
| 19 |
---------------------- |
| 20 |
* Do not add spurious newline to DER-format files (fixes report 201670320-01) |
| 21 |
* run a script after the completion of every fetch-crl run (uses postexec |
| 22 |
directive in config file) |
| 23 |
|
| 24 |
Changes in 3.0.17-1 |
| 25 |
---------------------- |
| 26 |
* Add optional cache-control max-age headers in all requests to hint a |
| 27 |
maximum caching time to intermediate servers (bugzilla #26) |
| 28 |
|
| 29 |
Changes in 3.0.16-1 |
| 30 |
---------------------- |
| 31 |
* Added cache state freshness constraints (default maxcachetime set to 96hrs) |
| 32 |
* Re-set cache expiry of state data if CRL nextUpdate is within or beyond |
| 33 |
7 hrs (config "expirestolerance") claimed URL Expiry or Cache-control max-age |
| 34 |
|
| 35 |
Changes in 3.0.15-1 |
| 36 |
---------------------- |
| 37 |
* Fixed issues resulting in undefined attribute values to be returned for CRL |
| 38 |
|
| 39 |
Changes in 3.0.14-1 |
| 40 |
---------------------- |
| 41 |
* Requesting CRL retrieval for an empty trust anchor store is now a warning |
| 42 |
and no longer an error |
| 43 |
|
| 44 |
Changes in 3.0.13-1 |
| 45 |
---------------------- |
| 46 |
* Supplied system init script for boot phase will not re-run inadvertently |
| 47 |
* Add rcmode config option (added differentiated reporting and success-on- |
| 48 |
solely-retrieval-errors) |
| 49 |
* Add --define key=val command line argument to augment configuration data |
| 50 |
* Setting FETCHCRL_OPTIONS in /etc/sysconfig/fetch-crl will add these |
| 51 |
options to the commandline of fetch-crl on start from cron or at boot time |
| 52 |
Setting FETCHCRL_BOOT_OPTIONS adds them to the boot init script only |
| 53 |
(e.g. FETCHCRLBOOTOPTIONS="--define rcmode=differentiated") |
| 54 |
and FETCHCRL_CRON_OPTIONS does the same only for the cron job script |
| 55 |
|
| 56 |
Changes in 3.0.12-1 |
| 57 |
---------------------- |
| 58 |
* PEM formatted CRLs now always include a final newline character (fix |
| 59 |
provided by Harald Barth <haba@kth.se>) |
| 60 |
|
| 61 |
Changes in 3.0.11-1 |
| 62 |
---------------------- |
| 63 |
* Added reference to /etc/fetch-crl.d/ to the man page, used shortened URL |
| 64 |
to full documentation in man page |
| 65 |
* Added version information to help output and added -V option |
| 66 |
* Added a dangerous clean-crl script to remove stale .r* files (beware!) |
| 67 |
|
| 68 |
Changes in 3.0.10-1 |
| 69 |
---------------------- |
| 70 |
* Added a "noquiet" option in the configuration file that will override |
| 71 |
the default single "-q" option in the cro-job that is shipped with |
| 72 |
the fetch-crl3 init scripts (feature request by Ryan Taylor) |
| 73 |
* Added option "--inet6glue" and "inet6glue" config setting to load |
| 74 |
the Net::INET6Glue perl module (if it is available) to use IPv6 |
| 75 |
connections in LWP to download CRLs |
| 76 |
|
| 77 |
Changes in 3.0.8-1 |
| 78 |
---------------------- |
| 79 |
* Trust anchor name inferrence based on retrieved-CRL added as option (at cost |
| 80 |
of retrieving CRL even if there is no accompanying trust anchor found later) |
| 81 |
Option is disabled by default, but can be enabled by using @HASH@ in the |
| 82 |
ca-template name list. (feature request by Rob van der Wal, SARA, NL) |
| 83 |
|
| 84 |
Changes in 3.0.7-1 |
| 85 |
---------------------- |
| 86 |
* CRL modofication time heuristic inadvertently modified file name templates |
| 87 |
(solves issue kindly reported by Elan Ruusamae) |
| 88 |
* Expanded representation of tokenisation characters in strings to work |
| 89 |
around bug in file(1) (rhbz#699546, works around RedHat Bugzilla 699548) |
| 90 |
|
| 91 |
Changes in 3.0.6-1 |
| 92 |
---------------------- |
| 93 |
* Response parsing disabled to suppress superfluous warning on unexpected |
| 94 |
UTF-8 respons when retrieving a CRL (solves RedHat Bugzilla 688902) |
| 95 |
|
| 96 |
Changes in 3.0.5-1 |
| 97 |
---------------------- |
| 98 |
* CRLs for multiple similarly-named trust anchors might not all be downloaded. |
| 99 |
This is fixed in this release. |
| 100 |
* Spurious "restoreLogMode" internal errors are no longer raised |
| 101 |
|
| 102 |
Changes in 3.0.4-1 |
| 103 |
---------------------- |
| 104 |
* Add support for directory based drop-in configuration in /etc/fetch-crl.d/ |
| 105 |
* Only use cached CRL contents if the nextUpdate time of the cached CRL is |
| 106 |
still in the future. This will ensure that a new download is attempted |
| 107 |
each and everytime for CRLs that have already expired. |
| 108 |
|
| 109 |
Changes in 3.0.3-1 |
| 110 |
---------------------- |
| 111 |
* Clean up of man page format macro PU (reported by Mattias Ellert) |
| 112 |
|
| 113 |
Changes in 3.0.2-1 |
| 114 |
---------------------- |
| 115 |
* Clean up of man page format macro PU (reported by Mattias Ellert) |
| 116 |
|
| 117 |
Changes in 3.0.1-1 |
| 118 |
---------------------- |
| 119 |
* hunts through more places to find the latest successful CRL download to |
| 120 |
set the latest local modification time for a CRL |
| 121 |
(resolves a comparison error in case output and infodir are unset) |
| 122 |
|
| 123 |
Changes in 3.0.0-0.RC4 |
| 124 |
---------------------- |
| 125 |
* the config file name has changed to fetch-crl.conf, although a |
| 126 |
fetch-crl.cnf file will also be used when present |
| 127 |
* symlinked meta-data files can be ignored with the --nosymlinks option |
| 128 |
(or nosymlinks in the configuration file). This allows fetch-crl to be |
| 129 |
used effectively with new-format IGTF distribution before 1.37 |
| 130 |
* infinite loop for non-indexed CA file names fixed |
| 131 |
|
| 132 |
Changes in fetch-crl 3.0 |
| 133 |
------------------------ |
| 134 |
* fetch-crl 3.0 is a complete re-write, and shares no code with the 1.x and |
| 135 |
2.x series utility of the same name, although the function and some of |
| 136 |
the syntax is obviously the same |
| 137 |
|
| 138 |
* support for multiple output formats: OpenSSL 1 in dual-hash mode, specific |
| 139 |
DER and PEM outputs, and NSS databases |
| 140 |
* support for multiple CRLs for a single CA, allowing more than one CA with |
| 141 |
the same subject name but different CLRs. Review your client software to see |
| 142 |
if and how these CRLs are used. |
| 143 |
* stateful retrieval helps reduce bandwidth usage by caching the CRLs locally |
| 144 |
and respecting the Cache Control headers sent by the web server hosting the |
| 145 |
CRL. This can reduce the number of downloads |
| 146 |
* support for HEAD-only requests when state preservation is used (initially |
| 147 |
only retrieve HTTP headers, and only if the CRL actually changed to a full |
| 148 |
download) |
| 149 |
* support for more CRL retrieval protocols (file:// and ftp://) |
| 150 |
* ability to try site-local URLs first, before relying on the URLs shipped with |
| 151 |
the trust anchor. This allows building an explicit local caching (web) server. |
| 152 |
* ability to specify additional URLs to try in case the URLs shipped with the |
| 153 |
trust anchor were not responsive. This allows for automatic fall-back to |
| 154 |
(local or global) mirror services for CRL downloads |
| 155 |
* warnings and errors can be suppressed on a per-trust anchor basis, to allow |
| 156 |
silencing for particularly unstable trust anchors |
| 157 |
* aging tolerance (the delay time before errors are generated in case downloads |
| 158 |
consistently fail) can be configured on a per-trust anchor basis |
| 159 |
* parallel downloading for multiple trust anchors |
| 160 |
* minimized use of temporary files in the file system (now limited to the |
| 161 |
invocation of OpenSSL only, and only for brief periods of time) |
| 162 |
* dependencies on wget, lynx and other unix utilities have been removed |
| 163 |
* explicit web proxy support (using LWP http proxies) |
| 164 |
* completely re-written in perl, with some (hopefully minimal) dependencies: |
| 165 |
LWP, Sys::Syslog, POSIX. And Data::Dumper (when debugging is enabled), |
| 166 |
and IO::Select (if parallel downloads are enabled). |
| 167 |
|
| 168 |
Differences with respect to the previous versions |
| 169 |
|
| 170 |
* when downloading CRLs via https, the server certificate is not checked, |
| 171 |
neither for the correct DNS name nor for being issued by a valid CA. Since |
| 172 |
the CRL in itself is signed, this is not a security vulnerability. If |
| 173 |
stricter checking is anyway desired, and the Crypt::SSLeay perl module has |
| 174 |
been installed, set the HTTPS_CA_FILE environment variable before invoking |
| 175 |
fetch-crl -- but keep in mind that the DNS name verification is limited |
| 176 |
and will (incorrectly) reject DNS names if these are listed only in the |
| 177 |
subjectAlternativeName of the server certificate |
| 178 |
* Existing files with a name that matches a CRL target name are overwritten, |
| 179 |
even if they did not originally contain CRL data. In v2 this was configurable |
| 180 |
via the FORCE_OVERWRITE configuration setting. In version 3, files are |
| 181 |
overwritten by default, and this can no longer be configured. |
| 182 |
* fetch-crl3 will no longer check CA certificates for consistency or validity |
| 183 |
by themselves, only retrieved CRLs are verified |
| 184 |
|
| 185 |
Downsides of the new version |
| 186 |
|
| 187 |
* it requires perl5 to be installed (tested with perl 5.8.0 and higher) with |
| 188 |
libwww-perl, whereas version 2 only required a traditional Bourne shell |
| 189 |
* requires a version of OpenSSL (0.9.5a or better) to be installed. Needs |
| 190 |
OpenSSL 1.0.0 (at least beta5) for dual-hash support. |
| 191 |
* when using parallel downloads, it can only run on pure-POSIX systems |
| 192 |
* parallelism in combination with the NSS database output format is not tested |
| 193 |
* Even when only the NSS database output format has been selected, OpenSSL is |
| 194 |
still needed for verification and processing |
| 195 |
|
| 196 |
|
| 197 |
============================================================================== |
| 198 |
|
| 199 |
The change log below applies to the 1.x and 2.x series fetch-crl and is |
| 200 |
included for historical purposes only. Fetch-crl3, with which this |
| 201 |
changes file is being shipped, is a complete re-write of the utility. |
| 202 |
Although a lot of backwards compatibility has been preserves, there have |
| 203 |
been significant changes and the information below should NOT be used |
| 204 |
to infer any behaviour of fetch-crl3. |
| 205 |
|
| 206 |
Fetch-crl 1.x and 2.x were released under the EU DataGrid License. |
| 207 |
|
| 208 |
Changes in version EGP 2.8.5 |
| 209 |
---------------------------- |
| 210 |
(2010.06.03) |
| 211 |
|
| 212 |
* fetch-crl was occasionally leaving behind {hash}.r0.XXXXXX.r0 files |
| 213 |
This has been fixed in this release (patch thanks to Jason Smith, BNL) |
| 214 |
* man page was not compliant to Debian guidelines, this has been fixed |
| 215 |
(patch thanks to Mattias Ellert, Uppsala University) |
| 216 |
|
| 217 |
Changes in version EGP 2.8.4 |
| 218 |
---------------------------- |
| 219 |
(2010.04.04) |
| 220 |
|
| 221 |
* Fixes error when randomWait is not set [RH Bug 579488] |
| 222 |
|
| 223 |
Changes in version EGP 2.8.3 |
| 224 |
---------------------------- |
| 225 |
(2010.03.28) |
| 226 |
|
| 227 |
* Preserve SELinux context for CRL files if SElinux status program exists |
| 228 |
and selinux is enabled (RH bug 577403) |
| 229 |
* Fix argument parsing on syslog facility specification (RH bug 577387) |
| 230 |
* Increase granularity of the RandomWait and allow for 0 in -r option |
| 231 |
|
| 232 |
Changes in version EGP 2.8.2 |
| 233 |
---------------------------- |
| 234 |
(2010.03.03) |
| 235 |
|
| 236 |
* Improved support for multiple CRL URLs by downloading until a success |
| 237 |
is achieved, instead of downloading all of them |
| 238 |
* Imported randomwait patch from Steve Traylen |
| 239 |
|
| 240 |
Changes in version EGP 2.8.1 |
| 241 |
---------------------------- |
| 242 |
(2010.01.26) |
| 243 |
|
| 244 |
* The installed CRL file is re-checked for validity to catch file system |
| 245 |
errors and local disk corruption. When possible, it will try to restore |
| 246 |
a backup copy. Failures are not subject to aging tolerance. |
| 247 |
|
| 248 |
Changes in version EGP 2.8.0 |
| 249 |
---------------------------- |
| 250 |
(2009.09.22) |
| 251 |
|
| 252 |
* The RPM packaging has been overhauled and is now sufficiently conformant |
| 253 |
to EPEL and FedoraProject guidelines. |
| 254 |
* New init scripts and a cron job entry have been added to allow management |
| 255 |
of fetch-crl via the chkconfig mechanism |
| 256 |
|
| 257 |
These changes were contributed by Steve Traylen (CERN, Geneva, CH). |
| 258 |
|
| 259 |
Changes in version EGP 2.7.0 |
| 260 |
---------------------------- |
| 261 |
(2009.01.25) |
| 262 |
|
| 263 |
* Warnings and errors are now counted. If there are errors in the download |
| 264 |
or verification process for one or more CRLs, the exit status will be 1; |
| 265 |
if there are errors in the local setup or in the script invocation, the |
| 266 |
exit status will be 2. |
| 267 |
* The installed CRLs no longer have the textual representation of the CRL, |
| 268 |
but only the PEM data blob, thus reducing IO and memory requirements. |
| 269 |
* the CRL aging threshold is now set by default to 24 hours. The previous |
| 270 |
default was 0. The CRL aging threshold is set in the config file using |
| 271 |
CRL_AGING_THRESHOLD=<xx>, or with the "-a" command-line argument. |
| 272 |
* Default network timeouts reduced to 10 seconds (was 30) and retries to 2 |
| 273 |
* Added caching and conditional downloading. When CACHEDIR is set, the |
| 274 |
original downloads are preserved and wget timestamping mode enabled. |
| 275 |
When the content did not change, only the timestamp on the installed |
| 276 |
CRL is updated. If SLOPPYCRLHASHES is set, the has is calculated based |
| 277 |
on the name of the crl_url file, otherwise it is taken from the CRL itself. |
| 278 |
- The CACHEDIR must be exclusively writable by the user running fetch-crl |
| 279 |
- Setting CACHEDIR significantly reduced the bandwidth used by fetch-crl |
| 280 |
* Added RESETPATHMODE setting in sysconfig. It defines whether or not to |
| 281 |
set re-set $PATH to "/bin:/usr/bin" before start. The search for OpenSSL |
| 282 |
may be done based on the old path. |
| 283 |
yes=always replace; searchopenssl=search for openssl first and then reset; |
| 284 |
no=keep original path, whatever that me be (may be empty if called from cron) |
| 285 |
Default="yes". This replaces the hard-coded path in the tool! |
| 286 |
* Hidden "FORCE_OVERWRITE" option now has a regular name. This is backwards- |
| 287 |
compatible. Set FORCE_OVERWRITE=yes if you want files overwritten that |
| 288 |
have a CRL-like name and ought to have CRL content, but currently do not. |
| 289 |
* Addresses gLite Savannah bugs 28418 and 29559. Bug 27023 is partially |
| 290 |
addressed. Bug 20062 can be remedied with WGET_OPTS arguments. |
| 291 |
Addresses OSG ticket 4673. |
| 292 |
|
| 293 |
Changes in version EGP 2.6.6 |
| 294 |
---------------------------- |
| 295 |
(2007.09.16) |
| 296 |
(version 2.5.5 is invalid and was not publicly released) |
| 297 |
|
| 298 |
* Added obscure configuration parameter to allow overwriting of |
| 299 |
arbitrary data files with a downloaded CRL (on request of |
| 300 |
CERN, see https://savannah.cern.ch/bugs/index.php?29559) |
| 301 |
|
| 302 |
Changes in version EGP 2.6.4 |
| 303 |
---------------------------- |
| 304 |
(2007.08.15) |
| 305 |
|
| 306 |
* Expired CA issuer certificate now gives a warning instead of an error |
| 307 |
with the full verification result message |
| 308 |
* additional logfile output target can be selected via the configuration file |
| 309 |
* CRL aging threshold documented in manual page. Errors will now also be |
| 310 |
generated in the CRL download failed consistently and the current CRL |
| 311 |
has already expired |
| 312 |
|
| 313 |
Changes in version EGP 2.6.3 |
| 314 |
---------------------------- |
| 315 |
(2006.11.13) |
| 316 |
|
| 317 |
* cron job example: fetch-crl invocation syntax error corrected |
| 318 |
|
| 319 |
Changes in version EGP 2.6.2 |
| 320 |
---------------------------- |
| 321 |
(2006.10.27) |
| 322 |
|
| 323 |
* fixed bug: older wget versions do not recognise --no-check-certificate |
| 324 |
|
| 325 |
Changes in version EGP 2.6.1 |
| 326 |
---------------------------- |
| 327 |
(2006.10.25) |
| 328 |
|
| 329 |
* fixed local timezone vs UTC error in LastUpdate CRL validation comparison |
| 330 |
* fixed time comparison is the one-hour LastUpdate/download tolerance |
| 331 |
(both fixes thanks to Alain Roy) |
| 332 |
* added support for directory names containing whitespace |
| 333 |
* added support for syslog reporting (via -f option or SYSLOGFACILITY directive) |
| 334 |
* SERVERCERTCHECK=no is now the default. It can be reset via the configuration |
| 335 |
file, or using the "--check-server-certificate" commandline option |
| 336 |
* the main configuration file location (formerly fixed to be |
| 337 |
/etc/sysconfig/fetch-crl) can now be set via the variable $FETCH_CRL_SYSCONFIG |
| 338 |
* logfile format timestamp and tag have been normalised |
| 339 |
|
| 340 |
Changes in version EGP 2.6 |
| 341 |
-------------------------- |
| 342 |
(2006.05.20) |
| 343 |
|
| 344 |
* if the current local CRL has a lastUpdate time in the future, and the |
| 345 |
newly downloaded CRL is older that the current one, allow the installation |
| 346 |
of the newly downloaded CRL and issue a warning. |
| 347 |
* added non-suppressable warning in case the newly downloaded CRL has a |
| 348 |
lastUpdate time in the future, but install that CRL anyway (as the local |
| 349 |
clock might have been wrong). |
| 350 |
|
| 351 |
Changes in version EGP 2.5 |
| 352 |
-------------------------- |
| 353 |
(2006.01.16) |
| 354 |
|
| 355 |
* added additional configuration arguments and configuration variables |
| 356 |
to skip the server certificate check in wget |
| 357 |
(to support https:// URLs where the server is authenticated with |
| 358 |
a certificate that is not part of it's own trusted domain, such as |
| 359 |
the KISTI URL) |
| 360 |
|
| 361 |
Changes in version EGP 2.4 |
| 362 |
-------------------------- |
| 363 |
(2005.11.15) |
| 364 |
|
| 365 |
* for those platforms that support the stat(1) command, and in case the |
| 366 |
.crl_url file is named after the hash of the crl subject name to download, |
| 367 |
error eporting for individual download errors can be suppressed for |
| 368 |
a configurable amount of time as set via the "-a" option (unit: hours). |
| 369 |
|
| 370 |
Changes in version EGP 2.3 |
| 371 |
-------------------------- |
| 372 |
(2005.11.05) |
| 373 |
|
| 374 |
* do not replace recent CRLs with ones that have an older lastUpdate |
| 375 |
timestamp (prevents ARP/DNS DoS attacks) |
| 376 |
|
| 377 |
Changes in version EGP 2.2 |
| 378 |
-------------------------- |
| 379 |
(2005.10.27) |
| 380 |
|
| 381 |
* secure http download by wget recognise the CAs in the trusted directory. |
| 382 |
solves the issue described in the LCG bug tracking system |
| 383 |
https://savannah.cern.ch/bugs/index.php?func=detailitem&item_id=12182 |
| 384 |
|
| 385 |
Changes in version EGP 2.1 |
| 386 |
-------------------------- |
| 387 |
(2005.08.12) |
| 388 |
* specifically look for the most recent version of OpenSSL. The |
| 389 |
one in GLOBUS_LOCATION (which used to take precedence in the |
| 390 |
previous releases) is outdated in many cases and caused |
| 391 |
troubles on the LCG production systems in validating v2 CRLs |
| 392 |
* added manual page fetch-crl(8) |
| 393 |
|
| 394 |
Changes in version EGP 2.0 |
| 395 |
-------------------------- |
| 396 |
(2005.02.28) |
| 397 |
* name of the installed script changed to "fetch-crl" |
| 398 |
* the cronjob script is no longer installed by default, but supplied |
| 399 |
as an example in the %doc directory |
| 400 |
* RPM is now relocatable (default install in /usr) |
| 401 |
* READMA and CHANGES file now inclued in %doc tree |
| 402 |
* make install now installs |
| 403 |
* version increased to 2.0 |
| 404 |
|
| 405 |
Changes in version EGP 1.9 |
| 406 |
-------------------------- |
| 407 |
(2005.02.24) |
| 408 |
* the content of the final target CRL file is now checked for |
| 409 |
containing a valid CRL if it already exists. If it does not |
| 410 |
contain a CRL, an error is displayed and the file left untouched |
| 411 |
So making the final ".r0" file in ${outdir} a link to something else |
| 412 |
will not work, preventing an escalation in the final stage. |
| 413 |
|
| 414 |
Changes in version EGP 1.8 |
| 415 |
-------------------------- |
| 416 |
(changes from Fabio's version 1.7, 2005.02.24) |
| 417 |
|
| 418 |
* All temporary files (the initial CRL download using wget |
| 419 |
and the PEM-converted version of that file) are now created using |
| 420 |
mktemp |
| 421 |
* the RetrieveFileByURL function will not overwrite files that |
| 422 |
have any data in them |
| 423 |
* Note that the script can be run by a non-priviledged user, but |
| 424 |
that the output directory must be made writable by that user |
| 425 |
in an out-of-band way. |
| 426 |
|
| 427 |
EDG version 1.7 |
| 428 |
--------------- |
| 429 |
Imported with consent of Fabio Hernandez and Steve Traylen from |
| 430 |
the original EDG repository. |
| 431 |
The EU DataGrid License applies, see http://www.eu-datagrid.org/ |
Parent Directory
| 
Revision Log