Adding -DDUMP_CA_CERTS for mod_ssl (Re: svn commit: r1550060 - in /httpd/httpd/trunk: CHANGES modules/ssl/ssl_engine_config.c)

[Kaspar Brand <ht...@velox.ch>]

On 06.01.2014 08:46, Jan Kaluža wrote:
> On 01/05/2014 11:10 AM, Kaspar Brand wrote:
> I think I have no problem with changing the code to work as you 
> describe. I've only thought the way it works now is better, because 
> otherwise httpd could dump some files which it does not consider later. 
> This could be confusing as well.
> 
>>> If we presume that directory specified by SSLCACertificatePath contains
>>> only valid certificates and no other files, we could remove that
>>> validity check and just print filenames of all files in that directory.
>>
>> The files in that directory are accessed via their OpenSSL subject name
>> hashes, i.e. OpenSSL will look for file names like 5e5a5bcb.0 etc. It's
>> therefore rather misleading if -DDUMP_CA_CERTS dumps all files in a
>> directory, only based on whether their contents include at least one PEM
>> block with BEGIN/END CERTIFICATE.
> 
> Hm, I think when I was testing that in December it definitely worked 
> with different filenames too. I will give it a try again, but if it's 
> like that, my current code is wrong and needs change definitely.

For SSLCACertificatePath, it's a twofold thing: a) what is happening at
startup and b) what is happening at request time.

For a), it's the code in ssl_engine_init.c which is pertinent:
ssl_init_FindCAList() collects a list of all CA subject DNs, with the
help of OpenSSL's SSL_load_client_CA_file(). mod_ssl will iterate over
all files in the directory itself, so the file name does not matter in
this case. (Note, however, that SSL_load_client_CA_file will only read
in the subject DN of a certificate, nothing more.)

For b), it's OpenSSL's which decides at request time what CA certificate
file to load - see the paragraph about CApath in the
SSL_CTX_load_verify_locations(3) man page. If OpenSSL can't load the
file via its subject name hash, verification will fail - irrespective of
whether the CA certificate has expired or not. As an additional caveat,
note that the subject name hashing code changed from 0.9.8
to 1.0.0 (see [1]), so this may further complicate things.

> The problem I'm trying to solve is that there are admins with websites 
> which requires the users accessing the website to have client 
> certificates signed by certain CAs. There was an incident where a CA 
> re-issued their signing cert because the old one was expiring. The admin 
> didn't know this, so when the old certificate expired, all users whose 
> certificates were signed by that CA could no longer get in because they 
> had not updated the cert for that CA.
> 
> If httpd had a "-DDUMP_CA_CERTS" option, they could use certwatch or 
> similar tool to be warned before CA cert expires.

I see, but I think you can't really solve it by having mod_ssl enumerate
files which contain a BEGIN/END CERTIFICATE block. What I would
recommend instead is that mod_ssl only dumps the directory names, and
that you add some glue to certwatch (or certwatch.cron, more precisely)
to iterate over the the {hash}.{n} files. (As an aside, I think that
certwatch will currently only process the first certificate in a file
configured with SSLCACertificateFile, unless I'm completely misreading
pemutil.c:EMUTIL_PEM_read_X509.)

Kaspar

[1]
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c2c99e2860566044b23a5b3fded6f70b7436b9ad