You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2017/09/29 08:55:36 UTC
[Bug 61574] New: mod_ssl RFC: change uniqueness logic for
SSLCADNRequest*
https://bz.apache.org/bugzilla/show_bug.cgi?id=61574
Bug ID: 61574
Summary: mod_ssl RFC: change uniqueness logic for
SSLCADNRequest*
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: jorton@redhat.com
Target Milestone: ---
Created attachment 35387
--> https://bz.apache.org/bugzilla/attachment.cgi?id=35387&action=edit
PoC using non-canonical name comparison in SSLCARequestDN*
We've hit an unusual case with a public CA which has issued two intermediate
certificates used for issuing client certificates, where the subject names of
the intermediate CAs only differ in the case of one character of the Subject DN
(i.e. one has lower case, the other upper case).
OpenSSL treats these names as identical - it canonicalizes names internally
(lower case, removing whitespace), and X509_NAME_cmp() compares as equal.
Other TLS implementations do not treat them as equal.
While the name comparison rules in
https://tools.ietf.org/html/rfc3280#section-4.1.2.4 are clear, the rules in
https://tools.ietf.org/html/rfc5280#section-7.1 are more ambiguous, with
language like "Conforming implementations MUST support name comparisons using
caseIgnoreMatch" not explicit. Anyway, the CA apparently thinks this practice
is acceptable.
One way to work around this is in mod_ssl is to change the behaviour of
SSLCARequestDN* to avoid OpenSSL's standard (canonical) name comparison and
rely on a bitwise DN comparison.
On one hand, few people need to use that directive, and the behaviour change
should make no difference to 99.999% of them, so there should be little
downside. On the other hand, this forces unnecessary complexity into mod_ssl
for a borderline standards violation.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 61574] mod_ssl RFC: change uniqueness logic for SSLCADNRequest*
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61574
Joe Orton <jo...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #2 from Joe Orton <jo...@redhat.com> ---
With r1825120 which simplifies to using SSL_add_file_cert_subjects_to_stack()
this was fixed in OpenSSL via https://github.com/openssl/openssl/pull/4731
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 61574] mod_ssl RFC: change uniqueness logic for SSLCADNRequest*
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61574
--- Comment #1 from Joe Orton <jo...@redhat.com> ---
I should have been more explicit here, the problem this creates is that mod_ssl
can only send one of the two "duplicate" CA names in a certificate request,
when both are required.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org