You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2018/09/28 12:06:12 UTC
[Bug 62769] New: no dedicated handling of frontend and backend TLS
connections anymore in the context of clientside client certificate
authentication.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62769
Bug ID: 62769
Summary: no dedicated handling of frontend and backend TLS
connections anymore in the context of clientside
client certificate authentication.
Product: Apache httpd-2
Version: 2.4.34
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: gunnar.lukas@att.com
Target Milestone: ---
Apache in reverse proxy mode with clientside certificate authentication
configured and TLS connection to the backend via Proxypass (mod_proxy)
After an update from
Apache/2.4.29 (Unix) OpenSSL/1.1.0g to
Apache/2.4.34 (Unix) OpenSSL/1.1.0i
with no configuration change the Apache error log did throw many erros:
[Thu Sep 27 18:47:26 2018] [error] [pid 32166] ssl_engine_kernel.c(1688):
[client 10.227.8.133:11443] AH02039: Certificate Verification: Error (19): self
signed certificate in certificate chain
[Thu Sep 27 18:47:26 2018] [error] [pid 32166] ssl_engine_kernel.c(1714):
[client 10.227.8.133:11443] AH02040: Certificate Verification: Certificate
Chain too long (chain has 2 certificates, but maximum allowed are only 1)
Figured out that the complains were caused by some new behaviour in checking
the backend server certificate. I could omit the AH02040 by setting
SSLVerifyDepth from 1 to 2. And here my confusion starts.
Why does it affect the backend side TLS connection if I configure parameters
for the frontside TLS connection? We have only one level of CA hierarchy for
client certificates and I dont want to set 2 here.
I was not able to overcome the AH02039 error. The certificate chain of the
backend servers certificate is not interesting on reverse proxy level and was
not needed the last decades of years. Something changed which messed this up.
Or is it wanted behaviour introduced by a new feature? I cannot find anything
in the release notes of Apache or Openssl.
SSLCertificateFile server.crt
SSLCertificateKeyFile server.key
SSLCACertificateFile client-ca.crt
SSLCertificateChainFile Server_CA.crt
SSLOptions +StdEnvVars +ExportCertData
SSLProxyCheckPeerName off
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
<VirtualHost *:443>
ServerName test.com
SSLEngine on
SSLProxyEngine on
<Location /portal>
ProxyPass https://1.2.3.4/portal
ProxyPassReverse https://1.2.3.4/portal
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 2
</Location>
</VirtualHost>
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62769] no dedicated handling of frontend and backend TLS
connections anymore in the context of clientside client certificate
authentication.
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62769
--- Comment #1 from Ruediger Pluem <rp...@apache.org> ---
Created attachment 36178
--> https://bz.apache.org/bugzilla/attachment.cgi?id=36178&action=edit
Use parameters from Proxy config
Does the attached patch against 2.4.x fix your problem?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62769] no dedicated handling of frontend and backend TLS
connections anymore in the context of clientside client certificate
authentication.
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62769
Christophe JAILLET <ch...@wanadoo.fr> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #4 from Christophe JAILLET <ch...@wanadoo.fr> ---
This has been backported in 2.4.x in r1843370.
This is part of 2.4.36
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62769] no dedicated handling of frontend and backend TLS
connections anymore in the context of clientside client certificate
authentication.
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62769
Ruediger Pluem <rp...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |FixedInTrunk,
| |PatchAvailable
--- Comment #3 from Ruediger Pluem <rp...@apache.org> ---
Committed to trunk in r1842540.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62769] no dedicated handling of frontend and backend TLS
connections anymore in the context of clientside client certificate
authentication.
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62769
--- Comment #2 from Gunnar Lukas <gu...@att.com> ---
Could check in dev/int against 2.4.34, error messages are gone there.
unpatched:
[Mon Oct 01 11:35:58.385491 2018] [mpm_prefork:notice] [pid 29524] AH00163:
Apache/2.4.34 (Unix) OpenSSL/1.1.0i configured -- resuming normal operations
[Mon Oct 01 11:35:58.385518 2018] [core:notice] [pid 29524] AH00094: Command
line: '/bin/httpd.2.4.34 -D SSL -f /conf/httpd.conf'
[Mon Oct 01 11:35:58.686733 2018] [ssl:error] [pid 29529] [remote
10.22.9.33:32000] AH02039: Certificate Verification: Error (19): self signed
certificate in certificate chain
[Mon Oct 01 11:35:58.686745 2018] [ssl:error] [pid 29529] [remote
10.22.9.33:32000] AH02040: Certificate Verification: Certificate Chain too long
(chain has 2 certificates, but maximum allowed are only 1)
patched:
[Mon Oct 01 11:37:28.339636 2018] [mpm_prefork:notice] [pid 29880] AH00163:
Apache/2.4.34 (Unix) OpenSSL/1.1.0i configured -- resuming normal operations
[Mon Oct 01 11:37:28.339667 2018] [core:notice] [pid 29880] AH00094: Command
line: '/bin/httpd.2.4.34.p1 -D SSL -f /conf/httpd.conf'
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org