You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2010/08/10 01:20:14 UTC
DO NOT REPLY [Bug 49731] New: SSLVerifyClient and SSL virtual hosts
don't work quite right
https://issues.apache.org/bugzilla/show_bug.cgi?id=49731
Summary: SSLVerifyClient and SSL virtual hosts don't work quite
right
Product: Apache httpd-2
Version: 2.2.6
Platform: PC
OS/Version: Linux
Status: NEW
Severity: minor
Priority: P2
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: dlongley@digitalbazaar.com
If your apache configuration consists of multiple SSL virtual hosts on the same
IP that have different values for SSLVerifyClient then only the first
configuration is used.
For instance, if the configuration for 0-example1.com sets SSLVerifyClient to
'none' and the configuration for 1-example2.com sets SSLVerifyClient to
'optional_no_ca', then no CertificateRequest message will be sent out over the
TLS protocol regardless of the SNI value in the ClientHello extension.
If the situation is reversed (0-example2.com and 1-example1.com) then a
CertificateRequest message will be sent out for both domains.
This can be confirmed using two Apache website configurations with SSL enabled
(one with 'SSLVerifyClient none' and the other with 'SSLVerifyClient
optional_no_ca') and openSSL's s_client tool as the client:
openssl s_client -tls1 -debug -msg -state -servername example1.com
openssl s_client -tls1 -debug -msg -state -servername example2.com
Apache's SNI handler should determine whether or not to send a
CertificateRequest (modify peer verify mode) based on the requested host,
however, it does not.
This bug could be particularly painful for large collections of SSL-enabled
sites that are served by Apache where only one or two of the sites require or
might require client-side certificates. If one of the configurations for those
sites isn't loaded first then client-side certificates will never be sent. If
one of them is loaded first then every other SSL site will either simply fail
(in the cert-required case) or cause browsers to pop up client-certificate UIs
(in the cert-optional case where the browser user has an available certificate
in their browser key-chain).
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 49731] SSLVerifyClient and SSL virtual hosts don't
work quite right
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49731
--- Comment #2 from Dave Longley <dl...@digitalbazaar.com> 2010-08-10 11:48:16 EDT ---
(In reply to comment #1)
> Name based virtual host are not supported with SSL, especially not with this
> old version. Use the latest version and clients and an openssl version on
> server side which support SNI, and everything works as expected.
The problem seems to persist in version 2.2.16. I have two site configurations
where one uses 'SSLClientVerify optional_no_ca' and another uses
'SSLClientVerify none'. When using a TLS client (one that prints out the SNI
hostname that it is sending the server), I receive a CertificateRequest for
both sites. The content served does (correctly) depend on the hostname
provided, so the virtual host option is functioning correctly.
I will try to confirm this using two vanilla configurations and add them to
this bug (and reopen it if confirmed). Perhaps that will reveal it is only a
configuration issue. I assume Apache 2.2.16 is the latest version you're
referring to of 2.2? I can find tarballs for 2.3.6 but I didn't think that you
meant Apache 2.3.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 49731] SSLVerifyClient and SSL virtual hosts don't
work quite right
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49731
--- Comment #4 from Dave Longley <dl...@digitalbazaar.com> 2010-08-10 15:12:08 EDT ---
(In reply to comment #3)
> (In reply to comment #2)
>
> > The problem seems to persist in version 2.2.16. I have two site configurations
> > where one uses 'SSLClientVerify optional_no_ca' and another uses
> > 'SSLClientVerify none'. When using a TLS client (one that prints out the SNI
> > hostname that it is sending the server), I receive a CertificateRequest for
>
> Are you sure that your httpd 2.2.16 was compiled against a SNI capable openssl
> and that it is running against one? E.g RHEL 4 / 5 provided openssl packages
> are NOT SNI capable.
Yes. I am printing out the data sent to the server and it includes the SNI
entry.
>
> > both sites. The content served does (correctly) depend on the hostname
> > provided, so the virtual host option is functioning correctly.
> >
> > I will try to confirm this using two vanilla configurations and add them to
> > this bug (and reopen it if confirmed). Perhaps that will reveal it is only a
> > configuration issue. I assume Apache 2.2.16 is the latest version you're
> > referring to of 2.2? I can find tarballs for 2.3.6 but I didn't think that you
> > meant Apache 2.3.
>
> Yes, I meant the latest 2.2.
I have confirmed that this is fixed in the latest version of Apache. In the
quick test I ran before my last comment I didn't specify the host+port in the
command line options for openssl s_client. They must be specified in addition
to the -servername option, it will not default in the way one might think (but
this is an openssl issue).
After creating vanilla configurations and running everything through it all
worked correctly with both the 'SSLVerifyClient require' and 'SSLVerifyClient
optional_no_ca' options combined with 'SSLVerifyClient none' for the other
host. This is why it's good to confirm :).
Everything works now with Apache 2.2.16. Thanks!
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 49731] SSLVerifyClient and SSL virtual hosts don't
work quite right
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49731
--- Comment #3 from Ruediger Pluem <rp...@apache.org> 2010-08-10 14:34:20 EDT ---
(In reply to comment #2)
> The problem seems to persist in version 2.2.16. I have two site configurations
> where one uses 'SSLClientVerify optional_no_ca' and another uses
> 'SSLClientVerify none'. When using a TLS client (one that prints out the SNI
> hostname that it is sending the server), I receive a CertificateRequest for
Are you sure that your httpd 2.2.16 was compiled against a SNI capable openssl
and that it is running against one? E.g RHEL 4 / 5 provided openssl packages
are NOT SNI capable.
> both sites. The content served does (correctly) depend on the hostname
> provided, so the virtual host option is functioning correctly.
>
> I will try to confirm this using two vanilla configurations and add them to
> this bug (and reopen it if confirmed). Perhaps that will reveal it is only a
> configuration issue. I assume Apache 2.2.16 is the latest version you're
> referring to of 2.2? I can find tarballs for 2.3.6 but I didn't think that you
> meant Apache 2.3.
Yes, I meant the latest 2.2.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 49731] SSLVerifyClient and SSL virtual hosts don't
work quite right
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49731
Ruediger Pluem <rp...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #1 from Ruediger Pluem <rp...@apache.org> 2010-08-10 05:28:36 EDT ---
Name based virtual host are not supported with SSL, especially not with this
old version. Use the latest version and clients and an openssl version on
server side which support SNI, and everything works as expected.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org