You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2018/12/10 18:13:29 UTC

[Bug 63000] New: SSLCA* based directives never honoured for the client certificate auth for providing the CA names

https://bz.apache.org/bugzilla/show_bug.cgi?id=63000

            Bug ID: 63000
           Summary: SSLCA* based directives never honoured for the client
                    certificate auth for providing the CA names
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
                OS: All
            Status: NEW
          Severity: regression
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: sbkrishna_segu@yahoo.com
  Target Milestone: ---

I have configured httpd latest version 2.4.37 on my centos and osx box.

Have configured my vhost file to support mutual auth based authentication as
follows:

<VirtualHost *:443>
ServerName test.mutual.auth.dev
ErrorLog /var/log/apache2/ssl_mutualauth_error_log
TransferLog /var/log/apache2/ssl_mutualauth_access_log
LogLevel debug

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!aNULL:!EXP:!LOW:!MD5:!SSLV2:!NULL
SSLCertificateFile /mutualauth/data/portalCA/asf-cert.pem
SSLCertificateKeyFile /mutualauth/data/portalCA/server-key.pem
SSLCertificateChainFile /mutualauth/data/portalCA/ca-cert.pem

SSLVerifyClient require
SSLCACertificatePath    /mutualauth/data/certs/
SSLVerifyDepth          5
SSLHonorCipherOrder     On

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog /var/log/apache2/ssl_asf_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

ProxyPreserveHost on
</VirtualHost>

The above configuration when configured and tried to issue "openssl s_client
-connect test.mutual.auth.dev:443" i get "No client certificate CA names sent".

But the same above configuration when tried with httpd 2.4.20 gives the
appropriate CA names configured.

The behaviour is the same when using SSLCACertificateFile, SSLCADNRequestPath
and SSLCADNRequestFile.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 63000] SSLCA* based directives never honoured for the client certificate auth for providing the CA names

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=63000

Eric Covener <co...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|2.5-HEAD                    |2.4.37

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org