You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2012/03/09 18:24:28 UTC
DO NOT REPLY [Bug 52874] New: Support Use TrustedFirst checking when
verifying client certificate chain
https://issues.apache.org/bugzilla/show_bug.cgi?id=52874
Bug #: 52874
Summary: Support Use TrustedFirst checking when verifying
client certificate chain
Product: Apache httpd-2
Version: 2.2.3
Platform: PC
OS/Version: Linux
Status: NEW
Severity: enhancement
Priority: P2
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: vargok@yahoo.com
Classification: Unclassified
Client Certificate verification expects the client to provide a full
certificate chain back to a trusted root. However, with the introduction of
Cross-certification configuration, there may be multiple "valid" paths, of
differing scope. OpenSSL (HEAD/c.a. 1.0.2) has provided support for a Trusted
First flag to verification processing, and I would like to see that make it's
way back into mod_ssl.
As I'm using RHEL-5, I'd like to get EL-5 to update it's mod_ssl (and openssl),
but I'd like to get the patch into mod_ssl's "upstream," as well.
Basically, when verifying the Client certificate, the chain building process
should always check for the "next" (higher) CA Certificate to be in the
"trusted" store on the server-side, and if it finds it there, to use it;
continuing to build the chain from the server's store, ignoring the clients
store where possible. This will allow clients to provide intermediates up to a
point (making it so the server needn't track all intermediates). Once the
point of cross-certification is reached, the verification will proceed only
through the servers' version to the Roots/intermediates it trusts, rather than
needing to trust the client-offered chain -- which will vary in trust-scope.
To reproduce: 1. Generate a CA structure that has multiple roots, and issue
one of the intermediates, or one of the "Root" certificates through both CA
structures. 2. Configuration two browser-profiles; one to use each separate
chain. 3. Configure the server to trust one of the Roots, but not the other.
4. One profile should "work," and the other should result in a "Local Issuer
not found (20)" type error.
E.g.,
[Cross-Certification (CC) Root CA]
|
[Intermediate CC 1]
|
[Re-issued non-CC "Root" CA] <--same keys--> [Self-Signed (SS) Root CA]
\ /
\ /
\ /
[Intermediate issued from cross-certified CA]
|
[End-entity (user) certificate]
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 52874] Support Use TrustedFirst checking when
verifying client certificate chain
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52874
KV <va...@yahoo.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #28448|0 |1
is obsolete| |
--- Comment #3 from KV <va...@yahoo.com> 2012-03-13 14:59:29 UTC ---
Created attachment 28460
--> https://issues.apache.org/bugzilla/attachment.cgi?id=28460
Patch to incorporate SSLTrustedFirst (On|Off) and the X509 Flag in openssl
Sorry; I attached the wrong diff, obviously. Here's the one against mod_ssl
2.2.3 (via Centos 5)
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 52874] Support Use TrustedFirst checking when
verifying client certificate chain
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52874
--- Comment #1 from KV <va...@yahoo.com> 2012-03-09 17:26:31 UTC ---
Created attachment 28448
--> https://issues.apache.org/bugzilla/attachment.cgi?id=28448
Patch to incorporate SSLTrustedFirst (On|Off) and the X509 Flag in openssl
Adds support for new Server-wide directive, SSLTrustedFirst, which enables the
ctx->param->flags for openssl's TrustedFirst directive when doing client
verification.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 52874] Support Use TrustedFirst checking when
verifying client certificate chain
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52874
Kaspar Brand <as...@velox.ch> changed:
What |Removed |Added
----------------------------------------------------------------------------
Platform|PC |All
Version|2.2.3 |2.5-HEAD
OS/Version|Linux |All
--- Comment #2 from Kaspar Brand <as...@velox.ch> 2012-03-10 06:33:48 UTC ---
(In reply to comment #1)
> Created attachment 28448 [details]
> Patch to incorporate SSLTrustedFirst (On|Off) and the X509 Flag in openssl
This patch only includes the changes to OpenSSL, but none for mod_ssl.
> Adds support for new Server-wide directive, SSLTrustedFirst, which enables the
> ctx->param->flags for openssl's TrustedFirst directive when doing client
> verification.
If we do this, we'll want to make it a per-vhost directive (same as
SSLCACertificateFile and friends).
It's too early to consider adding support for this to mod_ssl, however (even
for trunk). The X509_V_FLAG_TRUSTED_FIRST verification flag was added to
OpenSSL in http://cvs.openssl.org/chngview?cn=19324 and will first appear in
1.1.0, which won't be released that soon, most likely.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org