You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2008/12/05 18:26:25 UTC
DO NOT REPLY [Bug 46355] New: Support to protect multiple resources
via x.509 client auth certificates that are issued off different Issuing CAs
that are issued off the same Root CA
https://issues.apache.org/bugzilla/show_bug.cgi?id=46355
Summary: Support to protect multiple resources via x.509 client
auth certificates that are issued off different Issuing
CAs that are issued off the same Root CA
Product: Apache httpd-2
Version: 2.2.10
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: enhancement
Priority: P1
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: m.gonzalezlee@gmail.com
I have attempted to configure the Apache web server to protect 2 different
resources (/protected and /protected2) with X.509 client authentication making
use of certificates issued off 2 different issuing CAs that were issued of the
same Root CA. Note that both resources are protected by the same listener
listening on 443. Note also that this issue is related to the client trust list
and not server trust list (i.e. the bundle of CA certificates configured to
support either Server SSL or Client SSL).
The test PKI hierarchy I am testing against looks as follows:
Root CA
|
-----------------------------------------
| | |
Issuing CA1 Issuing CA2 Issuing CA3
(issuing certs (issuing certs (issuing certs
to protect to protect to protect another
'/protected') '/protected2') web server)
However, I could not configure Apache to protect such resources accordingly. If
this can be done, please let me know, although my testing indicates that it can
not, hence raising this bug report!
The best I could achieve is to protect BOTH resources (/protected and
/protected2) making use of the same Issuing CAs, using the following config
snippet:
SSLEngine on
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile "C:/Program Files/Apache Software
Foundation/Apache2.2/conf/ssl/server.crt"
SSLCertificateKeyFile "C:/Program Files/Apache Software
Foundation/Apache2.2/conf/ssl/server-unencrypted.key"
SSLCertificateChainFile "C:/Program Files/Apache Software
Foundation/Apache2.2/conf/ssl/server-ca-chain.crt"
SSLCACertificateFile "C:/Program Files/Apache Software
Foundation/Apache2.2/conf/ssl/client-auth-ica-and-root-bundle.crt"
SSLCADNRequestFile "C:/Program Files/Apache Software
Foundation/Apache2.2/conf/ssl/client-auth-ica-bundle.crt"
SSLVerifyClient none
<Directory "C:/Program Files/Apache Software
Foundation/Apache2.2/htdocs-443/protected">
SSLVerifyClient require
SSLVerifyDepth 2
</Directory>
<Directory "C:/Program Files/Apache Software
Foundation/Apache2.2/htdocs-443/protected2">
SSLVerifyClient require
SSLVerifyDepth 2
</Directory>
However, I would like to be able to protect both resources (/protected and
/protected2) making use of certificates issued by *different* Issuing CAs that
were in turn issued off the same Root CA (as illustrated above). I tried moving
the 'SSLCACertificateFile' directive within the 'Directory' directve, but the
server would not start up (producing the error: "SSLCADNRequestFile not allowed
here"). The config I would like to have succeeded is:
SSLEngine on
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile "C:/Program Files/Apache Software
Foundation/Apache2.2/conf/ssl/server.crt"
SSLCertificateKeyFile "C:/Program Files/Apache Software
Foundation/Apache2.2/conf/ssl/server-unencrypted.key"
SSLCertificateChainFile "C:/Program Files/Apache Software
Foundation/Apache2.2/conf/ssl/server-ca-chain.crt"
SSLCACertificateFile "C:/Program Files/Apache Software
Foundation/Apache2.2/conf/ssl/client-auth-ica-and-root-bundle.crt"
SSLVerifyClient none
<Directory "C:/Program Files/Apache Software
Foundation/Apache2.2/htdocs-443/protected">
SSLCADNRequestFile "C:/Program Files/Apache Software
Foundation/Apache2.2/conf/ssl/client-auth-ica1.crt"
SSLVerifyClient require
SSLVerifyDepth 2
</Directory>
<Directory "C:/Program Files/Apache Software
Foundation/Apache2.2/htdocs-443/protected2">
SSLCADNRequestFile "C:/Program Files/Apache Software
Foundation/Apache2.2/conf/ssl/client-auth-ica2.crt"
SSLVerifyClient require
SSLVerifyDepth 2
</Directory>
Can this be achieved in any other way that I may have missed, or is an
enhancement request required?
Thanks,
Manuel.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 46355] Support to protect multiple resources via
x.509 client auth certificates that are issued off different Issuing CAs that
are issued off the same Root CA
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46355
Joe Orton <jo...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #1 from Joe Orton <jo...@redhat.com> 2009-06-23 07:41:14 PST ---
It's not possible to do exactly what you're requesting with OpenSSL.
It is technically feasible to simply:
- configure the root CA as SSLCACertificateFile
- in per-directory context, use SSLRequire to check that the client cert is
issued by the appropriate intermediary, by comparing the appropriate field in
the client's issuer DN - SSL_CLIENT_I_DN_*
though there may be deployment issues with that if you are expecting any given
client to have more than one cert.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org