You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2012/10/19 23:40:42 UTC

[Bug 54030] New: Support subjectAltName when (reverse-)proxying

https://issues.apache.org/bugzilla/show_bug.cgi?id=54030

          Priority: P2
            Bug ID: 54030
          Assignee: bugs@httpd.apache.org
           Summary: Support subjectAltName when (reverse-)proxying
          Severity: normal
    Classification: Unclassified
                OS: All
          Reporter: michael@weiser.dinsnail.net
          Hardware: All
            Status: NEW
           Version: 2.4.3
         Component: mod_ssl
           Product: Apache httpd-2

A reverse proxy with SSLProxyCheckPeerCN turned on does not support
certificates with subjectAltName:DNS extensions as of 2.4.3 and latest trunk.
The attached patches seem to make that work for 2.4.2 and trunk. trunk already
has some limited wildcard matching which is superseded by this patch. There is
some mild code duplication since the logic is stolen from
modules/ssl/ssl_engine_init.c:ssl_check_public_cert().

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54030] Support subjectAltName when (reverse-)proxying

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54030

--- Comment #3 from Kaspar Brand <as...@velox.ch> ---
See also bug 53006.

Some preliminary comments about the patch: we really want to avoid duplicating
code from ssl_check_public_cert() - there should be a single check_ID(...)
function instead (i.e. the code should be factored out to ssl_util_ssl.c,
ideally).

In the following two log messages, there's a misconception about what a "DN"
really is in the context of an X.509 certificate:

+                ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO()
+                              "SSL Proxy: Failure to extract DNs from"
+                              " peer certificate."
+                              " Requested hostname: %s", 


                 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02005)
                               "SSL Proxy: Peer certificate CN mismatch:"
-                              " Certificate CN: %s Requested hostname: %s",
-                              hostname, hostname_note);
+                              " Requested hostname: %s."
+                              " Last DN checked: %s.",
+                              hostname_note, id[i-1]);


DN is short for "distinguished name" (not "domain name"), and a certificate
only has a single subject DN and a single issuer DN (for host name checks, the
former is relevant).

Right now the name of the directive is "SSLProxyCheckPeerCN", so the code is
currently doing what the documentation states ("Whether to check the remote
server certificates CN field"). I agree that checking against subjectAltName
entries is highly desirable (in the spirit of RFC 6125), but we might want to
introduce a separate directive for this purpose (and deprecate
SSLProxyCheckPeerCN).

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54030] Support subjectAltName when (reverse-)proxying

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54030

--- Comment #6 from Kaspar Brand <as...@velox.ch> ---
I have implemented this in trunk with r1425874 - testing would be appreciated.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54030] Support subjectAltName when (reverse-)proxying

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54030

--- Comment #1 from Michael Weiser <mi...@weiser.dinsnail.net> ---
Created attachment 29499
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=29499&action=edit
subjectAltName support for httpd-2.4.2

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54030] Support subjectAltName when (reverse-)proxying

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54030

Kaspar Brand <as...@velox.ch> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |FixedInTrunk

--- Comment #8 from Kaspar Brand <as...@velox.ch> ---
(In reply to comment #7)
> Can this be backported to 2.4?

Yes, proposed for 2.4 with r1433834.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54030] Support subjectAltName when (reverse-)proxying

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54030

Michael Weiser <mi...@weiser.dinsnail.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|2.4.3                       |2.5-HEAD

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54030] Support subjectAltName when (reverse-)proxying

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54030

Michael Weiser <mi...@weiser.dinsnail.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |enhancement

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54030] Support subjectAltName when (reverse-)proxying

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54030

--- Comment #2 from Michael Weiser <mi...@weiser.dinsnail.net> ---
Created attachment 29500
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=29500&action=edit
subjectAltName support for httpd-trunk-20121019

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54030] Support subjectAltName when (reverse-)proxying

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54030

--- Comment #4 from Michael Weiser <mi...@weiser.dinsnail.net> ---
Complete agreement. To be clear: Are you inclinded (and have the time) to
implement those changes yourself or are you challenging me to update the patch?
If the latter: I can certainly try the refactoring and terminology cleanup but
feel ill equipped to add a config option because of all the further
infrastructure knowledge required for that.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54030] Support subjectAltName when (reverse-)proxying

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54030

--- Comment #7 from Michael Weiser <mi...@weiser.dinsnail.net> ---
Sorry for the sluggish response. I've tested and it seems to work nicely with
current head. Thanks!

Can this be backported to 2.4?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54030] Support subjectAltName when (reverse-)proxying

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54030

--- Comment #5 from Kaspar Brand <as...@velox.ch> ---
(In reply to comment #4)
> Are you inclinded (and have the time) to implement those changes yourself

Not within a short-term timeframe (say, this month), but mid-term, yes.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org