| 1 |
davidg |
1758 |
============================================================================== |
| 2 |
|
|
CHANGES to fetch-crl - the Certificate Revocation List retrieval tool |
| 3 |
|
|
============================================================================== |
| 4 |
|
|
The fetch-crl utility will retrieve certificate revocation lists (CRLs) for |
| 5 |
|
|
a set of installed trust anchors, based on crl_url files or IGTF-style info |
| 6 |
|
|
files. It will install these for use with OpenSSL, NSS or third-party tools. |
| 7 |
|
|
|
| 8 |
davidg |
1878 |
Changes in 3.0.0-0.RC4 |
| 9 |
|
|
---------------------- |
| 10 |
|
|
* the config file name has changed to fetch-crl.conf, although a |
| 11 |
|
|
fetch-crl.cnf file will also be used when present |
| 12 |
|
|
* symlinked meta-data files can be ignored with the --nosymlinks option |
| 13 |
|
|
(or nosymlinks in the configuration file). This allows fetch-crl to be |
| 14 |
|
|
used effectively with new-format IGTF distribution before 1.37 |
| 15 |
|
|
* infinite loop for non-indexed CA file names fixed |
| 16 |
|
|
|
| 17 |
davidg |
1758 |
Changes in fetch-crl 3.0 |
| 18 |
|
|
------------------------ |
| 19 |
|
|
* fetch-crl 3.0 is a complete re-write, and shares no code with the 1.x and |
| 20 |
|
|
2.x series utility of the same name, although the function and some of |
| 21 |
|
|
the syntax is obviously the same |
| 22 |
|
|
|
| 23 |
|
|
* support for multiple output formats: OpenSSL 1 in dual-hash mode, specific |
| 24 |
|
|
DER and PEM outputs, and NSS databases |
| 25 |
|
|
* support for multiple CRLs for a single CA, allowing more than one CA with |
| 26 |
|
|
the same subject name but different CLRs. Review your client software to see |
| 27 |
|
|
if and how these CRLs are used. |
| 28 |
|
|
* stateful retrieval helps reduce bandwidth usage by caching the CRLs locally |
| 29 |
|
|
and respecting the Cache Control headers sent by the web server hosting the |
| 30 |
|
|
CRL. This can reduce the number of downloads |
| 31 |
|
|
* support for HEAD-only requests when state preservation is used (initially |
| 32 |
|
|
only retrieve HTTP headers, and only if the CRL actually changed to a full |
| 33 |
|
|
download) |
| 34 |
|
|
* support for more CRL retrieval protocols (file:// and ftp://) |
| 35 |
|
|
* ability to try site-local URLs first, before relying on the URLs shipped with |
| 36 |
|
|
the trust anchor. This allows building an explicit local caching (web) server. |
| 37 |
|
|
* ability to specify additional URLs to try in case the URLs shipped with the |
| 38 |
|
|
trust anchor were not responsive. This allows for automatic fall-back to |
| 39 |
|
|
(local or global) mirror services for CRL downloads |
| 40 |
|
|
* warnings and errors can be suppressed on a per-trust anchor basis, to allow |
| 41 |
|
|
silencing for particularly unstable trust anchors |
| 42 |
|
|
* aging tolerance (the delay time before errors are generated in case downloads |
| 43 |
|
|
consistently fail) can be configured on a per-trust anchor basis |
| 44 |
|
|
* parallel downloading for multiple trust anchors |
| 45 |
|
|
* minimized use of temporary files in the file system (now limited to the |
| 46 |
|
|
invocation of OpenSSL only, and only for brief periods of time) |
| 47 |
|
|
* dependencies on wget, lynx and other unix utilities have been removed |
| 48 |
|
|
* explicit web proxy support (using LWP http proxies) |
| 49 |
|
|
* completely re-written in perl, with some (hopefully minimal) dependencies: |
| 50 |
|
|
LWP, Sys::Syslog, POSIX. And Data::Dumper (when debugging is enabled), |
| 51 |
|
|
and IO::Select (if parallel downloads are enabled). |
| 52 |
|
|
|
| 53 |
|
|
Differences with respect to the previous versions |
| 54 |
|
|
|
| 55 |
|
|
* when downloading CRLs via https, the server certificate is not checked, |
| 56 |
|
|
neither for the correct DNS name nor for being issued by a valid CA. Since |
| 57 |
|
|
the CRL in itself is signed, this is not a security vulnerability. If |
| 58 |
|
|
stricter checking is anyway desired, and the Crypt::SSLeay perl module has |
| 59 |
|
|
been installed, set the HTTPS_CA_FILE environment variable before invoking |
| 60 |
|
|
fetch-crl -- but keep in mind that the DNS name verification is limited |
| 61 |
|
|
and will (incorrectly) reject DNS names if these are listed only in the |
| 62 |
|
|
subjectAlternativeName of the server certificate |
| 63 |
|
|
* Existing files with a name that matches a CRL target name are overwritten, |
| 64 |
|
|
even if they did not originally contain CRL data. In v2 this was configurable |
| 65 |
|
|
via the FORCE_OVERWRITE configuration setting. In version 3, files are |
| 66 |
|
|
overwritten by default, and this can no longer be configured. |
| 67 |
|
|
* fetch-crl3 will no longer check CA certificates for consistency or validity |
| 68 |
|
|
by themselves, only retrieved CRLs are verified |
| 69 |
|
|
|
| 70 |
|
|
Downsides of the new version |
| 71 |
|
|
|
| 72 |
|
|
* it requires perl5 to be installed (tested with perl 5.8.0 and higher) with |
| 73 |
|
|
libwww-perl, whereas version 2 only required a traditional Bourne shell |
| 74 |
|
|
* requires a version of OpenSSL (0.9.5a or better) to be installed. Needs |
| 75 |
|
|
OpenSSL 1.0.0 (at least beta5) for dual-hash support. |
| 76 |
|
|
* when using parallel downloads, it can only run on pure-POSIX systems |
| 77 |
|
|
* parallelism in combination with the NSS database output format is not tested |
| 78 |
|
|
* Even when only the NSS database output format has been selected, OpenSSL is |
| 79 |
|
|
still needed for verification and processing |
| 80 |
|
|
|
| 81 |
|
|
|
| 82 |
|
|
============================================================================== |
| 83 |
|
|
|
| 84 |
|
|
The change log below applies to the 1.x and 2.x series fetch-crl and is |
| 85 |
|
|
included for historical purposes only. Fetch-crl3, with which this |
| 86 |
|
|
changes file is being shipped, is a complete re-write of the utility. |
| 87 |
|
|
Although a lot of backwards compatibility has been preserves, there have |
| 88 |
|
|
been significant changes and the information below should NOT be used |
| 89 |
|
|
to infer any behaviour of fetch-crl3. |
| 90 |
|
|
|
| 91 |
|
|
Fetch-crl 1.x and 2.x were released under the EU DataGrid License. |
| 92 |
|
|
|
| 93 |
|
|
Changes in version EGP 2.8.5 |
| 94 |
|
|
---------------------------- |
| 95 |
|
|
(2010.06.03) |
| 96 |
|
|
|
| 97 |
|
|
* fetch-crl was occasionally leaving behind {hash}.r0.XXXXXX.r0 files |
| 98 |
|
|
This has been fixed in this release (patch thanks to Jason Smith, BNL) |
| 99 |
|
|
* man page was not compliant to Debian guidelines, this has been fixed |
| 100 |
|
|
(patch thanks to Mattias Ellert, Uppsala University) |
| 101 |
|
|
|
| 102 |
|
|
Changes in version EGP 2.8.4 |
| 103 |
|
|
---------------------------- |
| 104 |
|
|
(2010.04.04) |
| 105 |
|
|
|
| 106 |
|
|
* Fixes error when randomWait is not set [RH Bug 579488] |
| 107 |
|
|
|
| 108 |
|
|
Changes in version EGP 2.8.3 |
| 109 |
|
|
---------------------------- |
| 110 |
|
|
(2010.03.28) |
| 111 |
|
|
|
| 112 |
|
|
* Preserve SELinux context for CRL files if SElinux status program exists |
| 113 |
|
|
and selinux is enabled (RH bug 577403) |
| 114 |
|
|
* Fix argument parsing on syslog facility specification (RH bug 577387) |
| 115 |
|
|
* Increase granularity of the RandomWait and allow for 0 in -r option |
| 116 |
|
|
|
| 117 |
|
|
Changes in version EGP 2.8.2 |
| 118 |
|
|
---------------------------- |
| 119 |
|
|
(2010.03.03) |
| 120 |
|
|
|
| 121 |
|
|
* Improved support for multiple CRL URLs by downloading until a success |
| 122 |
|
|
is achieved, instead of downloading all of them |
| 123 |
|
|
* Imported randomwait patch from Steve Traylen |
| 124 |
|
|
|
| 125 |
|
|
Changes in version EGP 2.8.1 |
| 126 |
|
|
---------------------------- |
| 127 |
|
|
(2010.01.26) |
| 128 |
|
|
|
| 129 |
|
|
* The installed CRL file is re-checked for validity to catch file system |
| 130 |
|
|
errors and local disk corruption. When possible, it will try to restore |
| 131 |
|
|
a backup copy. Failures are not subject to aging tolerance. |
| 132 |
|
|
|
| 133 |
|
|
Changes in version EGP 2.8.0 |
| 134 |
|
|
---------------------------- |
| 135 |
|
|
(2009.09.22) |
| 136 |
|
|
|
| 137 |
|
|
* The RPM packaging has been overhauled and is now sufficiently conformant |
| 138 |
|
|
to EPEL and FedoraProject guidelines. |
| 139 |
|
|
* New init scripts and a cron job entry have been added to allow management |
| 140 |
|
|
of fetch-crl via the chkconfig mechanism |
| 141 |
|
|
|
| 142 |
|
|
These changes were contributed by Steve Traylen (CERN, Geneva, CH). |
| 143 |
|
|
|
| 144 |
|
|
Changes in version EGP 2.7.0 |
| 145 |
|
|
---------------------------- |
| 146 |
|
|
(2009.01.25) |
| 147 |
|
|
|
| 148 |
|
|
* Warnings and errors are now counted. If there are errors in the download |
| 149 |
|
|
or verification process for one or more CRLs, the exit status will be 1; |
| 150 |
|
|
if there are errors in the local setup or in the script invocation, the |
| 151 |
|
|
exit status will be 2. |
| 152 |
|
|
* The installed CRLs no longer have the textual representation of the CRL, |
| 153 |
|
|
but only the PEM data blob, thus reducing IO and memory requirements. |
| 154 |
|
|
* the CRL aging threshold is now set by default to 24 hours. The previous |
| 155 |
|
|
default was 0. The CRL aging threshold is set in the config file using |
| 156 |
|
|
CRL_AGING_THRESHOLD=<xx>, or with the "-a" command-line argument. |
| 157 |
|
|
* Default network timeouts reduced to 10 seconds (was 30) and retries to 2 |
| 158 |
|
|
* Added caching and conditional downloading. When CACHEDIR is set, the |
| 159 |
|
|
original downloads are preserved and wget timestamping mode enabled. |
| 160 |
|
|
When the content did not change, only the timestamp on the installed |
| 161 |
|
|
CRL is updated. If SLOPPYCRLHASHES is set, the has is calculated based |
| 162 |
|
|
on the name of the crl_url file, otherwise it is taken from the CRL itself. |
| 163 |
|
|
- The CACHEDIR must be exclusively writable by the user running fetch-crl |
| 164 |
|
|
- Setting CACHEDIR significantly reduced the bandwidth used by fetch-crl |
| 165 |
|
|
* Added RESETPATHMODE setting in sysconfig. It defines whether or not to |
| 166 |
|
|
set re-set $PATH to "/bin:/usr/bin" before start. The search for OpenSSL |
| 167 |
|
|
may be done based on the old path. |
| 168 |
|
|
yes=always replace; searchopenssl=search for openssl first and then reset; |
| 169 |
|
|
no=keep original path, whatever that me be (may be empty if called from cron) |
| 170 |
|
|
Default="yes". This replaces the hard-coded path in the tool! |
| 171 |
|
|
* Hidden "FORCE_OVERWRITE" option now has a regular name. This is backwards- |
| 172 |
|
|
compatible. Set FORCE_OVERWRITE=yes if you want files overwritten that |
| 173 |
|
|
have a CRL-like name and ought to have CRL content, but currently do not. |
| 174 |
|
|
* Addresses gLite Savannah bugs 28418 and 29559. Bug 27023 is partially |
| 175 |
|
|
addressed. Bug 20062 can be remedied with WGET_OPTS arguments. |
| 176 |
|
|
Addresses OSG ticket 4673. |
| 177 |
|
|
|
| 178 |
|
|
Changes in version EGP 2.6.6 |
| 179 |
|
|
---------------------------- |
| 180 |
|
|
(2007.09.16) |
| 181 |
|
|
(version 2.5.5 is invalid and was not publicly released) |
| 182 |
|
|
|
| 183 |
|
|
* Added obscure configuration parameter to allow overwriting of |
| 184 |
|
|
arbitrary data files with a downloaded CRL (on request of |
| 185 |
|
|
CERN, see https://savannah.cern.ch/bugs/index.php?29559) |
| 186 |
|
|
|
| 187 |
|
|
Changes in version EGP 2.6.4 |
| 188 |
|
|
---------------------------- |
| 189 |
|
|
(2007.08.15) |
| 190 |
|
|
|
| 191 |
|
|
* Expired CA issuer certificate now gives a warning instead of an error |
| 192 |
|
|
with the full verification result message |
| 193 |
|
|
* additional logfile output target can be selected via the configuration file |
| 194 |
|
|
* CRL aging threshold documented in manual page. Errors will now also be |
| 195 |
|
|
generated in the CRL download failed consistently and the current CRL |
| 196 |
|
|
has already expired |
| 197 |
|
|
|
| 198 |
|
|
Changes in version EGP 2.6.3 |
| 199 |
|
|
---------------------------- |
| 200 |
|
|
(2006.11.13) |
| 201 |
|
|
|
| 202 |
|
|
* cron job example: fetch-crl invocation syntax error corrected |
| 203 |
|
|
|
| 204 |
|
|
Changes in version EGP 2.6.2 |
| 205 |
|
|
---------------------------- |
| 206 |
|
|
(2006.10.27) |
| 207 |
|
|
|
| 208 |
|
|
* fixed bug: older wget versions do not recognise --no-check-certificate |
| 209 |
|
|
|
| 210 |
|
|
Changes in version EGP 2.6.1 |
| 211 |
|
|
---------------------------- |
| 212 |
|
|
(2006.10.25) |
| 213 |
|
|
|
| 214 |
|
|
* fixed local timezone vs UTC error in LastUpdate CRL validation comparison |
| 215 |
|
|
* fixed time comparison is the one-hour LastUpdate/download tolerance |
| 216 |
|
|
(both fixes thanks to Alain Roy) |
| 217 |
|
|
* added support for directory names containing whitespace |
| 218 |
|
|
* added support for syslog reporting (via -f option or SYSLOGFACILITY directive) |
| 219 |
|
|
* SERVERCERTCHECK=no is now the default. It can be reset via the configuration |
| 220 |
|
|
file, or using the "--check-server-certificate" commandline option |
| 221 |
|
|
* the main configuration file location (formerly fixed to be |
| 222 |
|
|
/etc/sysconfig/fetch-crl) can now be set via the variable $FETCH_CRL_SYSCONFIG |
| 223 |
|
|
* logfile format timestamp and tag have been normalised |
| 224 |
|
|
|
| 225 |
|
|
Changes in version EGP 2.6 |
| 226 |
|
|
-------------------------- |
| 227 |
|
|
(2006.05.20) |
| 228 |
|
|
|
| 229 |
|
|
* if the current local CRL has a lastUpdate time in the future, and the |
| 230 |
|
|
newly downloaded CRL is older that the current one, allow the installation |
| 231 |
|
|
of the newly downloaded CRL and issue a warning. |
| 232 |
|
|
* added non-suppressable warning in case the newly downloaded CRL has a |
| 233 |
|
|
lastUpdate time in the future, but install that CRL anyway (as the local |
| 234 |
|
|
clock might have been wrong). |
| 235 |
|
|
|
| 236 |
|
|
Changes in version EGP 2.5 |
| 237 |
|
|
-------------------------- |
| 238 |
|
|
(2006.01.16) |
| 239 |
|
|
|
| 240 |
|
|
* added additional configuration arguments and configuration variables |
| 241 |
|
|
to skip the server certificate check in wget |
| 242 |
|
|
(to support https:// URLs where the server is authenticated with |
| 243 |
|
|
a certificate that is not part of it's own trusted domain, such as |
| 244 |
|
|
the KISTI URL) |
| 245 |
|
|
|
| 246 |
|
|
Changes in version EGP 2.4 |
| 247 |
|
|
-------------------------- |
| 248 |
|
|
(2005.11.15) |
| 249 |
|
|
|
| 250 |
|
|
* for those platforms that support the stat(1) command, and in case the |
| 251 |
|
|
.crl_url file is named after the hash of the crl subject name to download, |
| 252 |
|
|
error eporting for individual download errors can be suppressed for |
| 253 |
|
|
a configurable amount of time as set via the "-a" option (unit: hours). |
| 254 |
|
|
|
| 255 |
|
|
Changes in version EGP 2.3 |
| 256 |
|
|
-------------------------- |
| 257 |
|
|
(2005.11.05) |
| 258 |
|
|
|
| 259 |
|
|
* do not replace recent CRLs with ones that have an older lastUpdate |
| 260 |
|
|
timestamp (prevents ARP/DNS DoS attacks) |
| 261 |
|
|
|
| 262 |
|
|
Changes in version EGP 2.2 |
| 263 |
|
|
-------------------------- |
| 264 |
|
|
(2005.10.27) |
| 265 |
|
|
|
| 266 |
|
|
* secure http download by wget recognise the CAs in the trusted directory. |
| 267 |
|
|
solves the issue described in the LCG bug tracking system |
| 268 |
|
|
https://savannah.cern.ch/bugs/index.php?func=detailitem&item_id=12182 |
| 269 |
|
|
|
| 270 |
|
|
Changes in version EGP 2.1 |
| 271 |
|
|
-------------------------- |
| 272 |
|
|
(2005.08.12) |
| 273 |
|
|
* specifically look for the most recent version of OpenSSL. The |
| 274 |
|
|
one in GLOBUS_LOCATION (which used to take precedence in the |
| 275 |
|
|
previous releases) is outdated in many cases and caused |
| 276 |
|
|
troubles on the LCG production systems in validating v2 CRLs |
| 277 |
|
|
* added manual page fetch-crl(8) |
| 278 |
|
|
|
| 279 |
|
|
Changes in version EGP 2.0 |
| 280 |
|
|
-------------------------- |
| 281 |
|
|
(2005.02.28) |
| 282 |
|
|
* name of the installed script changed to "fetch-crl" |
| 283 |
|
|
* the cronjob script is no longer installed by default, but supplied |
| 284 |
|
|
as an example in the %doc directory |
| 285 |
|
|
* RPM is now relocatable (default install in /usr) |
| 286 |
|
|
* READMA and CHANGES file now inclued in %doc tree |
| 287 |
|
|
* make install now installs |
| 288 |
|
|
* version increased to 2.0 |
| 289 |
|
|
|
| 290 |
|
|
Changes in version EGP 1.9 |
| 291 |
|
|
-------------------------- |
| 292 |
|
|
(2005.02.24) |
| 293 |
|
|
* the content of the final target CRL file is now checked for |
| 294 |
|
|
containing a valid CRL if it already exists. If it does not |
| 295 |
|
|
contain a CRL, an error is displayed and the file left untouched |
| 296 |
|
|
So making the final ".r0" file in ${outdir} a link to something else |
| 297 |
|
|
will not work, preventing an escalation in the final stage. |
| 298 |
|
|
|
| 299 |
|
|
Changes in version EGP 1.8 |
| 300 |
|
|
-------------------------- |
| 301 |
|
|
(changes from Fabio's version 1.7, 2005.02.24) |
| 302 |
|
|
|
| 303 |
|
|
* All temporary files (the initial CRL download using wget |
| 304 |
|
|
and the PEM-converted version of that file) are now created using |
| 305 |
|
|
mktemp |
| 306 |
|
|
* the RetrieveFileByURL function will not overwrite files that |
| 307 |
|
|
have any data in them |
| 308 |
|
|
* Note that the script can be run by a non-priviledged user, but |
| 309 |
|
|
that the output directory must be made writable by that user |
| 310 |
|
|
in an out-of-band way. |
| 311 |
|
|
|
| 312 |
|
|
EDG version 1.7 |
| 313 |
|
|
--------------- |
| 314 |
|
|
Imported with consent of Fabio Hernandez and Steve Traylen from |
| 315 |
|
|
the original EDG repository. |
| 316 |
|
|
The EU DataGrid License applies, see http://www.eu-datagrid.org/ |
Parent Directory
| 
Revision Log