You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2011/05/10 08:57:16 UTC
DO NOT REPLY [Bug 50812] mod_ssl SSLProxyMachineCertificateFile
can't use a 2+ depth certificate when server only returns root CA's on its
Acceptable client certificate CA names
https://issues.apache.org/bugzilla/show_bug.cgi?id=50812
--- Comment #2 from shell_layer-apachesf@yahoo.com.au 2011-05-10 06:57:16 UTC ---
@Joe Orton:
The TLS specification indicates that it's acceptable for the server to simply
send a root CA and expect a client CA falling under that root.
See http://tools.ietf.org/html/rfc5246
Section 7.4.4, in reference to the list of CA names in the client certificate
request, provides that
"These distinguished names may specify a desired distinguished name for a root
CA or for a subordinate CA; thus, this message can be used to describe known
roots as well as a desired authorization space."
Section 7.4.6, in reference to the client certificate message, provides that
"This message conveys the client's certificate chain to the server"
and
"If the certificate_authorities list in the certificate request message was
non-empty, one of the certificates in the certificate chain SHOULD be issued by
one of the listed CAs."
These references strongly suggest that the list of acceptable CAs does not need
to include every level of the certificate chain; it can simply include the root
and let the client determine which certificates ultimately come under that
root.
If searching multiple levels of the certificate chain is too complex, then I
recommend as a minimum that the fallback action, when 'ssl_callback_proxy_cert'
does not find a client certificate matching any on the acceptable CA list,
should be to send the first configured client certificate, as if the acceptable
CA list were empty.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org