You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2018/09/28 12:06:12 UTC

[Bug 62769] New: no dedicated handling of frontend and backend TLS connections anymore in the context of clientside client certificate authentication.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62769

            Bug ID: 62769
           Summary: no dedicated handling of frontend and backend TLS
                    connections anymore in the context of clientside
                    client certificate authentication.
           Product: Apache httpd-2
           Version: 2.4.34
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: gunnar.lukas@att.com
  Target Milestone: ---

Apache in reverse proxy mode with clientside certificate authentication
configured and TLS connection to the backend via Proxypass (mod_proxy)

After an update from 

Apache/2.4.29 (Unix) OpenSSL/1.1.0g to 
Apache/2.4.34 (Unix) OpenSSL/1.1.0i

with no configuration change the Apache error log did throw many erros:

[Thu Sep 27 18:47:26 2018] [error] [pid 32166] ssl_engine_kernel.c(1688):
[client 10.227.8.133:11443] AH02039: Certificate Verification: Error (19): self
signed certificate in certificate chain
[Thu Sep 27 18:47:26 2018] [error] [pid 32166] ssl_engine_kernel.c(1714):
[client 10.227.8.133:11443] AH02040: Certificate Verification: Certificate
Chain too long (chain has 2 certificates, but maximum allowed are only 1)

Figured out that the complains were caused by some new behaviour in checking
the backend server certificate. I could omit the AH02040 by setting
SSLVerifyDepth from 1 to 2. And here my confusion starts.

Why does it affect the backend side TLS connection if I configure parameters
for the frontside TLS connection? We have only one level of CA hierarchy for
client certificates and I dont want to set 2 here.

I was not able to overcome the AH02039 error. The certificate chain of the
backend servers certificate is not interesting on reverse proxy level and was
not needed the last decades of years. Something changed which messed this up.
Or is it wanted behaviour introduced by a new feature? I cannot find anything
in the release notes of Apache or Openssl.


SSLCertificateFile      server.crt
SSLCertificateKeyFile   server.key
SSLCACertificateFile    client-ca.crt
SSLCertificateChainFile Server_CA.crt
SSLOptions              +StdEnvVars +ExportCertData

SSLProxyCheckPeerName off
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off

<VirtualHost *:443>
   ServerName test.com
   SSLEngine      on
   SSLProxyEngine on

   <Location /portal>
      ProxyPass         https://1.2.3.4/portal 
      ProxyPassReverse  https://1.2.3.4/portal
      SSLRequireSSL
      SSLVerifyClient         require
      SSLVerifyDepth          2
   </Location>
</VirtualHost>

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62769] no dedicated handling of frontend and backend TLS connections anymore in the context of clientside client certificate authentication.

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62769

--- Comment #1 from Ruediger Pluem <rp...@apache.org> ---
Created attachment 36178
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36178&action=edit
Use parameters from Proxy config

Does the attached patch against 2.4.x fix your problem?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62769] no dedicated handling of frontend and backend TLS connections anymore in the context of clientside client certificate authentication.

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62769

Christophe JAILLET <ch...@wanadoo.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #4 from Christophe JAILLET <ch...@wanadoo.fr> ---
This has been backported in 2.4.x in r1843370.

This is part of 2.4.36

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62769] no dedicated handling of frontend and backend TLS connections anymore in the context of clientside client certificate authentication.

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62769

Ruediger Pluem <rp...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |FixedInTrunk,
                   |                            |PatchAvailable

--- Comment #3 from Ruediger Pluem <rp...@apache.org> ---
Committed to trunk in r1842540.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62769] no dedicated handling of frontend and backend TLS connections anymore in the context of clientside client certificate authentication.

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62769

--- Comment #2 from Gunnar Lukas <gu...@att.com> ---
Could check in dev/int against 2.4.34, error messages are gone there.

unpatched:
[Mon Oct 01 11:35:58.385491 2018] [mpm_prefork:notice] [pid 29524] AH00163:
Apache/2.4.34 (Unix) OpenSSL/1.1.0i configured -- resuming normal operations
[Mon Oct 01 11:35:58.385518 2018] [core:notice] [pid 29524] AH00094: Command
line: '/bin/httpd.2.4.34 -D SSL -f /conf/httpd.conf'
[Mon Oct 01 11:35:58.686733 2018] [ssl:error] [pid 29529] [remote
10.22.9.33:32000] AH02039: Certificate Verification: Error (19): self signed
certificate in certificate chain
[Mon Oct 01 11:35:58.686745 2018] [ssl:error] [pid 29529] [remote
10.22.9.33:32000] AH02040: Certificate Verification: Certificate Chain too long
(chain has 2 certificates, but maximum allowed are only 1)


patched:
[Mon Oct 01 11:37:28.339636 2018] [mpm_prefork:notice] [pid 29880] AH00163:
Apache/2.4.34 (Unix) OpenSSL/1.1.0i configured -- resuming normal operations
[Mon Oct 01 11:37:28.339667 2018] [core:notice] [pid 29880] AH00094: Command
line: '/bin/httpd.2.4.34.p1 -D SSL -f /conf/httpd.conf'

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org