You are viewing a plain text version of this content. The canonical link for it is here.
Posted to test-dev@httpd.apache.org by Sander Temme <sc...@covalent.net> on 2003/08/04 21:37:51 UTC
[PATCH] Enable client certificate for https-https proxy tests
Hi all,
This patch fixes a problem that occurs when RSA SSL-C is used as back-end
for mod_ssl:
Index: t/conf/ssl/proxyssl.conf.in
===================================================================
RCS file:
/home/cvspublic/httpd-test/perl-framework/t/conf/ssl/proxyssl.conf.in,v
retrieving revision 1.11
diff -u -r1.11 proxyssl.conf.in
--- t/conf/ssl/proxyssl.conf.in 2 May 2002 19:25:52 -0000 1.11
+++ t/conf/ssl/proxyssl.conf.in 4 Aug 2003 19:30:00 -0000
@@ -34,7 +34,7 @@
#these are not on by default in the 1.x based mod_ssl
<IfDefine APACHE2>
SSLProxyEngine On
- #SSLProxyMachineCertificateFile @SSLCA@/asf/proxy/client_ok.pem
+ SSLProxyMachineCertificateFile @SSLCA@/asf/proxy/client_ok.pem
#client_ok.pem should be loaded first
SSLProxyMachineCertificatePath @SSLCA@/asf/proxy
SSLProxyCACertificateFile @SSLCA@/asf/certs/ca.crt
If I don't explicitly specify the proxy client cert when running on SSL-C,
the wrong certificate gets picked for proxy client authentication. The
result is a 403 Forbidden from the upstream, and a 502 Bad Gateway from the
proxy.
The regular mod_ssl/OpenSSL combination is not affected, but is not broken
by this patch either. Tested on Darwin (OpenSSL), Linux (both OpenSSL and
SSL-C) and Solaris (both).
S.
--
Covalent Technologies sctemme@covalent.net
Engineering group Voice: (415) 856 4214
303 Second Street #375 South Fax: (415) 856 4210
San Francisco CA 94107
PGP Fingerprint: 7A8D B189 E871 80CB 9521 9320 C11E 7B47 964F 31D9
=======================================================
This email message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message
=======================================================
Re: [PATCH] Enable client certificate for https-https proxy tests
Posted by Joe Orton <jo...@redhat.com>.
On Mon, Aug 04, 2003 at 12:37:51PM -0700, Sander Temme wrote:
> Hi all,
>
> This patch fixes a problem that occurs when RSA SSL-C is used as back-end
> for mod_ssl:
Just looked into this again, we'd seen this same problem on a few boxes
(using OpenSSL of course), but not on others, and had been using exactly
the same patch as you, and now I triggered the thing again today.
It is a directory ordering bug (they are the order of the day it seems
:): successful operation depends on readdir() returning client_ok.pem
first, which is not guaranteed but happens sometimes; since all the
certs match the CA names offered any of them will be chosen. So this
really is a correct fix.
I suppose there is a mod_ssl bug here too: SSLP.M.C.Path is not
consistent in determining which client cert is used if several would
match the CA names offered, it just relies on directory ordering.
I'll check this in, anyway. Very belated thanks :)
> Index: t/conf/ssl/proxyssl.conf.in
> ===================================================================
> RCS file:
> /home/cvspublic/httpd-test/perl-framework/t/conf/ssl/proxyssl.conf.in,v
> retrieving revision 1.11
> diff -u -r1.11 proxyssl.conf.in
> --- t/conf/ssl/proxyssl.conf.in 2 May 2002 19:25:52 -0000 1.11
> +++ t/conf/ssl/proxyssl.conf.in 4 Aug 2003 19:30:00 -0000
> @@ -34,7 +34,7 @@
> #these are not on by default in the 1.x based mod_ssl
> <IfDefine APACHE2>
> SSLProxyEngine On
> - #SSLProxyMachineCertificateFile @SSLCA@/asf/proxy/client_ok.pem
> + SSLProxyMachineCertificateFile @SSLCA@/asf/proxy/client_ok.pem
> #client_ok.pem should be loaded first
> SSLProxyMachineCertificatePath @SSLCA@/asf/proxy
> SSLProxyCACertificateFile @SSLCA@/asf/certs/ca.crt