1 |
============================================================================== |
2 |
CHANGES to fetch-crl - the Certificate Revocation List retrieval tool |
3 |
============================================================================== |
4 |
The fetch-crl utility will retrieve certificate revocation lists (CRLs) for |
5 |
a set of installed trust anchors, based on crl_url files or IGTF-style info |
6 |
files. It will install these for use with OpenSSL, NSS or third-party tools. |
7 |
|
8 |
Changes in fetch-crl 3.0 |
9 |
------------------------ |
10 |
* fetch-crl 3.0 is a complete re-write, and shares no code with the 1.x and |
11 |
2.x series utility of the same name, although the function and some of |
12 |
the syntax is obviously the same |
13 |
|
14 |
* support for multiple output formats: OpenSSL 1 in dual-hash mode, specific |
15 |
DER and PEM outputs, and NSS databases |
16 |
* support for multiple CRLs for a single CA, allowing more than one CA with |
17 |
the same subject name but different CLRs. Review your client software to see |
18 |
if and how these CRLs are used. |
19 |
* stateful retrieval helps reduce bandwidth usage by caching the CRLs locally |
20 |
and respecting the Cache Control headers sent by the web server hosting the |
21 |
CRL. This can reduce the number of downloads |
22 |
* support for HEAD-only requests when state preservation is used (initially |
23 |
only retrieve HTTP headers, and only if the CRL actually changed to a full |
24 |
download) |
25 |
* support for more CRL retrieval protocols (file:// and ftp://) |
26 |
* ability to try site-local URLs first, before relying on the URLs shipped with |
27 |
the trust anchor. This allows building an explicit local caching (web) server. |
28 |
* ability to specify additional URLs to try in case the URLs shipped with the |
29 |
trust anchor were not responsive. This allows for automatic fall-back to |
30 |
(local or global) mirror services for CRL downloads |
31 |
* warnings and errors can be suppressed on a per-trust anchor basis, to allow |
32 |
silencing for particularly unstable trust anchors |
33 |
* aging tolerance (the delay time before errors are generated in case downloads |
34 |
consistently fail) can be configured on a per-trust anchor basis |
35 |
* parallel downloading for multiple trust anchors |
36 |
* minimized use of temporary files in the file system (now limited to the |
37 |
invocation of OpenSSL only, and only for brief periods of time) |
38 |
* dependencies on wget, lynx and other unix utilities have been removed |
39 |
* explicit web proxy support (using LWP http proxies) |
40 |
* completely re-written in perl, with some (hopefully minimal) dependencies: |
41 |
LWP, Sys::Syslog, POSIX. And Data::Dumper (when debugging is enabled), |
42 |
and IO::Select (if parallel downloads are enabled). |
43 |
|
44 |
Differences with respect to the previous versions |
45 |
|
46 |
* when downloading CRLs via https, the server certificate is not checked, |
47 |
neither for the correct DNS name nor for being issued by a valid CA. Since |
48 |
the CRL in itself is signed, this is not a security vulnerability. If |
49 |
stricter checking is anyway desired, and the Crypt::SSLeay perl module has |
50 |
been installed, set the HTTPS_CA_FILE environment variable before invoking |
51 |
fetch-crl -- but keep in mind that the DNS name verification is limited |
52 |
and will (incorrectly) reject DNS names if these are listed only in the |
53 |
subjectAlternativeName of the server certificate |
54 |
* Existing files with a name that matches a CRL target name are overwritten, |
55 |
even if they did not originally contain CRL data. In v2 this was configurable |
56 |
via the FORCE_OVERWRITE configuration setting. In version 3, files are |
57 |
overwritten by default, and this can no longer be configured. |
58 |
* fetch-crl3 will no longer check CA certificates for consistency or validity |
59 |
by themselves, only retrieved CRLs are verified |
60 |
|
61 |
Downsides of the new version |
62 |
|
63 |
* it requires perl5 to be installed (tested with perl 5.8.0 and higher) with |
64 |
libwww-perl, whereas version 2 only required a traditional Bourne shell |
65 |
* requires a version of OpenSSL (0.9.5a or better) to be installed. Needs |
66 |
OpenSSL 1.0.0 (at least beta5) for dual-hash support. |
67 |
* when using parallel downloads, it can only run on pure-POSIX systems |
68 |
* parallelism in combination with the NSS database output format is not tested |
69 |
* Even when only the NSS database output format has been selected, OpenSSL is |
70 |
still needed for verification and processing |
71 |
|
72 |
|
73 |
============================================================================== |
74 |
|
75 |
The change log below applies to the 1.x and 2.x series fetch-crl and is |
76 |
included for historical purposes only. Fetch-crl3, with which this |
77 |
changes file is being shipped, is a complete re-write of the utility. |
78 |
Although a lot of backwards compatibility has been preserves, there have |
79 |
been significant changes and the information below should NOT be used |
80 |
to infer any behaviour of fetch-crl3. |
81 |
|
82 |
Fetch-crl 1.x and 2.x were released under the EU DataGrid License. |
83 |
|
84 |
Changes in version EGP 2.8.5 |
85 |
---------------------------- |
86 |
(2010.06.03) |
87 |
|
88 |
* fetch-crl was occasionally leaving behind {hash}.r0.XXXXXX.r0 files |
89 |
This has been fixed in this release (patch thanks to Jason Smith, BNL) |
90 |
* man page was not compliant to Debian guidelines, this has been fixed |
91 |
(patch thanks to Mattias Ellert, Uppsala University) |
92 |
|
93 |
Changes in version EGP 2.8.4 |
94 |
---------------------------- |
95 |
(2010.04.04) |
96 |
|
97 |
* Fixes error when randomWait is not set [RH Bug 579488] |
98 |
|
99 |
Changes in version EGP 2.8.3 |
100 |
---------------------------- |
101 |
(2010.03.28) |
102 |
|
103 |
* Preserve SELinux context for CRL files if SElinux status program exists |
104 |
and selinux is enabled (RH bug 577403) |
105 |
* Fix argument parsing on syslog facility specification (RH bug 577387) |
106 |
* Increase granularity of the RandomWait and allow for 0 in -r option |
107 |
|
108 |
Changes in version EGP 2.8.2 |
109 |
---------------------------- |
110 |
(2010.03.03) |
111 |
|
112 |
* Improved support for multiple CRL URLs by downloading until a success |
113 |
is achieved, instead of downloading all of them |
114 |
* Imported randomwait patch from Steve Traylen |
115 |
|
116 |
Changes in version EGP 2.8.1 |
117 |
---------------------------- |
118 |
(2010.01.26) |
119 |
|
120 |
* The installed CRL file is re-checked for validity to catch file system |
121 |
errors and local disk corruption. When possible, it will try to restore |
122 |
a backup copy. Failures are not subject to aging tolerance. |
123 |
|
124 |
Changes in version EGP 2.8.0 |
125 |
---------------------------- |
126 |
(2009.09.22) |
127 |
|
128 |
* The RPM packaging has been overhauled and is now sufficiently conformant |
129 |
to EPEL and FedoraProject guidelines. |
130 |
* New init scripts and a cron job entry have been added to allow management |
131 |
of fetch-crl via the chkconfig mechanism |
132 |
|
133 |
These changes were contributed by Steve Traylen (CERN, Geneva, CH). |
134 |
|
135 |
Changes in version EGP 2.7.0 |
136 |
---------------------------- |
137 |
(2009.01.25) |
138 |
|
139 |
* Warnings and errors are now counted. If there are errors in the download |
140 |
or verification process for one or more CRLs, the exit status will be 1; |
141 |
if there are errors in the local setup or in the script invocation, the |
142 |
exit status will be 2. |
143 |
* The installed CRLs no longer have the textual representation of the CRL, |
144 |
but only the PEM data blob, thus reducing IO and memory requirements. |
145 |
* the CRL aging threshold is now set by default to 24 hours. The previous |
146 |
default was 0. The CRL aging threshold is set in the config file using |
147 |
CRL_AGING_THRESHOLD=<xx>, or with the "-a" command-line argument. |
148 |
* Default network timeouts reduced to 10 seconds (was 30) and retries to 2 |
149 |
* Added caching and conditional downloading. When CACHEDIR is set, the |
150 |
original downloads are preserved and wget timestamping mode enabled. |
151 |
When the content did not change, only the timestamp on the installed |
152 |
CRL is updated. If SLOPPYCRLHASHES is set, the has is calculated based |
153 |
on the name of the crl_url file, otherwise it is taken from the CRL itself. |
154 |
- The CACHEDIR must be exclusively writable by the user running fetch-crl |
155 |
- Setting CACHEDIR significantly reduced the bandwidth used by fetch-crl |
156 |
* Added RESETPATHMODE setting in sysconfig. It defines whether or not to |
157 |
set re-set $PATH to "/bin:/usr/bin" before start. The search for OpenSSL |
158 |
may be done based on the old path. |
159 |
yes=always replace; searchopenssl=search for openssl first and then reset; |
160 |
no=keep original path, whatever that me be (may be empty if called from cron) |
161 |
Default="yes". This replaces the hard-coded path in the tool! |
162 |
* Hidden "FORCE_OVERWRITE" option now has a regular name. This is backwards- |
163 |
compatible. Set FORCE_OVERWRITE=yes if you want files overwritten that |
164 |
have a CRL-like name and ought to have CRL content, but currently do not. |
165 |
* Addresses gLite Savannah bugs 28418 and 29559. Bug 27023 is partially |
166 |
addressed. Bug 20062 can be remedied with WGET_OPTS arguments. |
167 |
Addresses OSG ticket 4673. |
168 |
|
169 |
Changes in version EGP 2.6.6 |
170 |
---------------------------- |
171 |
(2007.09.16) |
172 |
(version 2.5.5 is invalid and was not publicly released) |
173 |
|
174 |
* Added obscure configuration parameter to allow overwriting of |
175 |
arbitrary data files with a downloaded CRL (on request of |
176 |
CERN, see https://savannah.cern.ch/bugs/index.php?29559) |
177 |
|
178 |
Changes in version EGP 2.6.4 |
179 |
---------------------------- |
180 |
(2007.08.15) |
181 |
|
182 |
* Expired CA issuer certificate now gives a warning instead of an error |
183 |
with the full verification result message |
184 |
* additional logfile output target can be selected via the configuration file |
185 |
* CRL aging threshold documented in manual page. Errors will now also be |
186 |
generated in the CRL download failed consistently and the current CRL |
187 |
has already expired |
188 |
|
189 |
Changes in version EGP 2.6.3 |
190 |
---------------------------- |
191 |
(2006.11.13) |
192 |
|
193 |
* cron job example: fetch-crl invocation syntax error corrected |
194 |
|
195 |
Changes in version EGP 2.6.2 |
196 |
---------------------------- |
197 |
(2006.10.27) |
198 |
|
199 |
* fixed bug: older wget versions do not recognise --no-check-certificate |
200 |
|
201 |
Changes in version EGP 2.6.1 |
202 |
---------------------------- |
203 |
(2006.10.25) |
204 |
|
205 |
* fixed local timezone vs UTC error in LastUpdate CRL validation comparison |
206 |
* fixed time comparison is the one-hour LastUpdate/download tolerance |
207 |
(both fixes thanks to Alain Roy) |
208 |
* added support for directory names containing whitespace |
209 |
* added support for syslog reporting (via -f option or SYSLOGFACILITY directive) |
210 |
* SERVERCERTCHECK=no is now the default. It can be reset via the configuration |
211 |
file, or using the "--check-server-certificate" commandline option |
212 |
* the main configuration file location (formerly fixed to be |
213 |
/etc/sysconfig/fetch-crl) can now be set via the variable $FETCH_CRL_SYSCONFIG |
214 |
* logfile format timestamp and tag have been normalised |
215 |
|
216 |
Changes in version EGP 2.6 |
217 |
-------------------------- |
218 |
(2006.05.20) |
219 |
|
220 |
* if the current local CRL has a lastUpdate time in the future, and the |
221 |
newly downloaded CRL is older that the current one, allow the installation |
222 |
of the newly downloaded CRL and issue a warning. |
223 |
* added non-suppressable warning in case the newly downloaded CRL has a |
224 |
lastUpdate time in the future, but install that CRL anyway (as the local |
225 |
clock might have been wrong). |
226 |
|
227 |
Changes in version EGP 2.5 |
228 |
-------------------------- |
229 |
(2006.01.16) |
230 |
|
231 |
* added additional configuration arguments and configuration variables |
232 |
to skip the server certificate check in wget |
233 |
(to support https:// URLs where the server is authenticated with |
234 |
a certificate that is not part of it's own trusted domain, such as |
235 |
the KISTI URL) |
236 |
|
237 |
Changes in version EGP 2.4 |
238 |
-------------------------- |
239 |
(2005.11.15) |
240 |
|
241 |
* for those platforms that support the stat(1) command, and in case the |
242 |
.crl_url file is named after the hash of the crl subject name to download, |
243 |
error eporting for individual download errors can be suppressed for |
244 |
a configurable amount of time as set via the "-a" option (unit: hours). |
245 |
|
246 |
Changes in version EGP 2.3 |
247 |
-------------------------- |
248 |
(2005.11.05) |
249 |
|
250 |
* do not replace recent CRLs with ones that have an older lastUpdate |
251 |
timestamp (prevents ARP/DNS DoS attacks) |
252 |
|
253 |
Changes in version EGP 2.2 |
254 |
-------------------------- |
255 |
(2005.10.27) |
256 |
|
257 |
* secure http download by wget recognise the CAs in the trusted directory. |
258 |
solves the issue described in the LCG bug tracking system |
259 |
https://savannah.cern.ch/bugs/index.php?func=detailitem&item_id=12182 |
260 |
|
261 |
Changes in version EGP 2.1 |
262 |
-------------------------- |
263 |
(2005.08.12) |
264 |
* specifically look for the most recent version of OpenSSL. The |
265 |
one in GLOBUS_LOCATION (which used to take precedence in the |
266 |
previous releases) is outdated in many cases and caused |
267 |
troubles on the LCG production systems in validating v2 CRLs |
268 |
* added manual page fetch-crl(8) |
269 |
|
270 |
Changes in version EGP 2.0 |
271 |
-------------------------- |
272 |
(2005.02.28) |
273 |
* name of the installed script changed to "fetch-crl" |
274 |
* the cronjob script is no longer installed by default, but supplied |
275 |
as an example in the %doc directory |
276 |
* RPM is now relocatable (default install in /usr) |
277 |
* READMA and CHANGES file now inclued in %doc tree |
278 |
* make install now installs |
279 |
* version increased to 2.0 |
280 |
|
281 |
Changes in version EGP 1.9 |
282 |
-------------------------- |
283 |
(2005.02.24) |
284 |
* the content of the final target CRL file is now checked for |
285 |
containing a valid CRL if it already exists. If it does not |
286 |
contain a CRL, an error is displayed and the file left untouched |
287 |
So making the final ".r0" file in ${outdir} a link to something else |
288 |
will not work, preventing an escalation in the final stage. |
289 |
|
290 |
Changes in version EGP 1.8 |
291 |
-------------------------- |
292 |
(changes from Fabio's version 1.7, 2005.02.24) |
293 |
|
294 |
* All temporary files (the initial CRL download using wget |
295 |
and the PEM-converted version of that file) are now created using |
296 |
mktemp |
297 |
* the RetrieveFileByURL function will not overwrite files that |
298 |
have any data in them |
299 |
* Note that the script can be run by a non-priviledged user, but |
300 |
that the output directory must be made writable by that user |
301 |
in an out-of-band way. |
302 |
|
303 |
EDG version 1.7 |
304 |
--------------- |
305 |
Imported with consent of Fabio Hernandez and Steve Traylen from |
306 |
the original EDG repository. |
307 |
The EU DataGrid License applies, see http://www.eu-datagrid.org/ |