You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2012/01/22 02:31:55 UTC
DO NOT REPLY [Bug 52495] New: CACertificate, CADNCertificate,
CARevocation, CertificateChain, Certifcate and CertificateKey per directory
context
https://issues.apache.org/bugzilla/show_bug.cgi?id=52495
Bug #: 52495
Summary: CACertificate, CADNCertificate, CARevocation,
CertificateChain, Certifcate and CertificateKey per
directory context
Product: Apache httpd-2
Version: 2.5-HEAD
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: calestyo@scientia.net
Classification: Unclassified
Hi.
It's already possible to set the Client Auth Requirements per directory
context, which triggers a renegotiations. The same is true for the CipherSuite.
I'm not an SSL/TLS expert, but some of the following suggestions might be
possible to (eventually) implement:
SSLCACertificateFile
SSLCACertificatePath
SSLCADNRequestFile
SSLCADNRequestPath
SSLCARevocationFile
SSLCARevocationPath
SSLCertificateChainFile
SSLCertificateFile
SSLCertificateKeyFile
should be settable per directory-context.
I don't know whether SSL/TLS allows changing the server certificates,
certificate chains and the proposed DNs in renegotiations...
But at least CACertificate should be changeable on a per directory basis, as
this is only a server side verification.
Cheers,
Chris.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 52495] CACertificate, CADNCertificate,
CARevocation, CertificateChain, Certifcate and CertificateKey per directory
context
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52495
--- Comment #1 from Kaspar Brand <as...@velox.ch> 2012-02-04 07:29:37 UTC ---
(In reply to comment #0)
Short reply: it's rather unlikely that most of this is ever going to happen
(unless some future release of OpenSSL would extend its API for changing
connection settings).
Longer reply - looking at the directives in question:
> SSLCACertificateFile
> SSLCACertificatePath
OpenSSL doesn't allow changing the list of trusted CAs once a connection has
been established (there's SSL_CTX_load_verify_locations(), but no
SSL_load_verify_locations()).
> SSLCADNRequestFile
> SSLCADNRequestPath
This is doable, in theory (OpenSSL provides SSL_set_client_CA_list()), but IMO
of limited use as long as SSLCACertificateFile/SSLCACertificatePath can't be
adjusted. It would only change the list of DNs ("hints") sent to the client to
assist him in picking an appropriate cert, but verification would still be
based on the per-vhost list of trusted CAs.
> SSLCARevocationFile
> SSLCARevocationPath
These should simply mirror the options for
SSLCACertificateFile/SSLCACertificatePath (there's no point in making them
configurable per directory as long as the list of trusted CAs can only be
configured at the vhost level).
> SSLCertificateChainFile
> SSLCertificateFile
> SSLCertificateKeyFile
Changing the certificate when renegotiating is permitted by the spec, in
theory, but it's hard to see a use case for per-directory configuration of the
server cert. It would have to include the same DNS name(s) as the one
configured at the VirtualHost level (ServerName/ServerAlias directives), since
clients might otherwise (rightfully) reject the new cert due to name
mismatches.
Generally speaking, I would recommend to separate sites with differing TLS
requirements into their own virtual hosts (perhaps based on SNI, depending on
the browsers you need to support). This can also reduce the number of required
renegotiations, which has further performance benefits.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org