You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2009/05/01 15:46:58 UTC
DO NOT REPLY [Bug 47134] New: Last resolve handling when sending
client certificate in SSLProxy
https://issues.apache.org/bugzilla/show_bug.cgi?id=47134
Summary: Last resolve handling when sending client certificate
in SSLProxy
Product: Apache httpd-2
Version: 2.2.11
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P5
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: apache@shoenix.net
Created an attachment (id=23569)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=23569)
Patch for sending first configured client cert as last resolve
Currently the selection of the correct client certificate when using the
SSLProxy functionality is fully dependent on the CA list returned by the
server. When no exact match is found between client cert issuer and one of the
CA's in the list from the server the connection fails.
In my environment we communicate with a probably misconfigured server that has
not got the exact same issuer CA in it's list as it used in the provided client
certificate. This causes the connection to fail because no correct client cert
can be found. The problem is that the provider probably assumes that the
complete CA chain is tested against all returned CA's from the server since the
client certificate's root cert is indeed in the list, but the current code only
seems to check against the issuer as found in the client cert and not the
entire CA chain.
To solve the problem the attached patch was done against 2.2.11 to allow the
certificate selection routine to return the first configured certificate in the
list if no exact match can be found.
I realise that this is probably bugfixing at the wrong end, but if so,
questions must be made if the server was configured incorrectly, or if the way
mod_ssl evaluates the candidate certificates is the correct way.
In both cases I see no harm in returning the first client cert in the list as a
last resolve since existing functionality is not changed, but some might
disagree.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 47134] Last resolve handling when sending client certificate in
SSLProxy
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47134
Jason <jb...@tresgeek.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|2.2.11 |2.2.25
--- Comment #5 from Jason <jb...@tresgeek.net> ---
Issue still persists in 2.2.25. Attaching updated patch.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 47134] Last resolve handling when sending client
certificate in SSLProxy
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47134
J-H Johansen <on...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #26959|0 |1
is obsolete| |
--- Comment #4 from J-H Johansen <on...@gmail.com> 2011-05-10 10:19:29 UTC ---
Created attachment 26981
--> https://issues.apache.org/bugzilla/attachment.cgi?id=26981
Apache 2.2.17 w/mod_ssl patch
Here's the unified diff file for patching ssl_engine_kernel.c (as posted by
Martijn Schoemaker).
This resolved a problem related to the use of SSLProxy with a client
certificate.
The configuration used mod_proxy as a reverse proxy to a HTTPS server with a
certificate signed by CA.
The client certificate (SSLProxyMachineCertificateFile) was signed by the
aforementioned CA and the config was pointing to this CA
(SSLProxyCACertificateFile).
A standard Apache 2.2.17 installation did not find the client certificate and
therefore failed.
Here's an excerpt from the debug log while it was failing:
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 read server hello A
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1321): [client
127.0.0.10] Certificate Verification: depth: 1, subject:
/C=NO/ST=Oslo/L=Oslo/O=Dream County/OU=Test/CN=Example
CA/emailAddress=xx@xx.xxx, issuer: /C=NO/ST=Oslo/L=Oslo/O=Dream
County/OU=Test/CN=Example CA/emailAddress=xx@xx.xxx
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1321): [client
127.0.0.10] Certificate Verification: depth: 0, subject:
/C=NO/ST=Oslo/L=Oslo/O=Dream County/OU=Test/CN=client.example.com, issuer:
/C=NO/ST=Oslo/L=Oslo/O=Dream County/OU=Test/CN=Example
CA/emailAddress=xx@xx.xxx
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 read server certificate A
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 read server key exchange A
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 read server certificate request A
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 read server done A
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1660): Proxy client
certificate callback: (www.example.com:443) entered
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1705): Proxy client
certificate callback: (www.example.com:443) no client certificate found!?
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 write client certificate A
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 write client key exchange A
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 write change cipher spec A
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 write finished A
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 flush data
After patching the client certificate was sent correctly.
[Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop:
SSLv3 read server hello A
[Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1321): [client
127.0.0.10] Certificate Verification: depth: 1, subject:
/C=NO/ST=Oslo/L=Oslo/O=Dream County/OU=Test/CN=Example
CA/emailAddress=xx@xx.xxx, issuer: /C=NO/ST=Oslo/L=Oslo/O=Dream
County/OU=Test/CN=Example CA/emailAddress=xx@xx.xxx
[Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1321): [client
127.0.0.10] Certificate Verification: depth: 0, subject:
/C=NO/ST=Oslo/L=Oslo/O=Dream County/OU=Test/CN=client.example.com, issuer:
/C=NO/ST=Oslo/L=Oslo/O=Dream County/OU=Test/CN=Example
CA/emailAddress=xx@xx.xxx
[Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop:
SSLv3 read server certificate A
[Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop:
SSLv3 read server key exchange A
[Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop:
SSLv3 read server certificate request A
[Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop:
SSLv3 read server done A
[Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1660): Proxy client
certificate callback: (www.example.com:443) entered
[Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1705): Proxy client
certificate callback: (www.example.com:443) no client certificate found!?
[Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1633): Proxy client
certificate callback: (www.example.com:443) No acceptable cert found, sending
first in list., sending /C=NO/ST=Oslo/L=Oslo/O=Dream County/OU=Test/CN=Example
Client Cert/emailAddress=xx@xx.xxx
[Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop:
SSLv3 write client certificate A
[Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop:
SSLv3 write client key exchange A
[Wed May 04 16:49:07 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop:
SSLv3 write certificate verify A
[Wed May 04 16:49:07 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop:
SSLv3 write change cipher spec A
[Wed May 04 16:49:07 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop:
SSLv3 write finished A
[Wed May 04 16:49:07 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop:
SSLv3 flush data
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 47134] Last resolve handling when sending client certificate in
SSLProxy
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47134
--- Comment #6 from Jason <jb...@tresgeek.net> ---
Created attachment 30826
--> https://issues.apache.org/bugzilla/attachment.cgi?id=30826&action=edit
Updated patch for 2.2.25
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 47134] Last resolve handling when sending client certificate in
SSLProxy
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47134
Jason <jb...@tresgeek.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jbnance@tresgeek.net
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 47134] Last resolve handling when sending client
certificate in SSLProxy
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47134
--- Comment #2 from J-H Johansen <on...@gmail.com> 2011-05-04 15:18:42 UTC ---
Created attachment 26959
--> https://issues.apache.org/bugzilla/attachment.cgi?id=26959
Modified code for Apache 2.2.17
Line number of the function ssl_callback_proxy_cert() differs from Martijn
Schoemakers 2.2.11 version.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 47134] Last resolve handling when sending client
certificate in SSLProxy
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47134
--- Comment #3 from J-H Johansen <on...@gmail.com> 2011-05-04 15:21:59 UTC ---
This fix has been verified OK on modified Apache 2.2.17 installation.
I've uploaded the modified ssl_engine_kernel.c code. Changes from existing
version is on lines 1709-1713.
Great work, Martijn :)
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 47134] Last resolve handling when sending client
certificate in SSLProxy
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47134
wiktor.wodecki@net-m.de changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |wiktor.wodecki@net-m.de
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 47134] Last resolve handling when sending client
certificate in SSLProxy
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47134
J-H Johansen <on...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P5 |P3
Severity|enhancement |normal
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 47134] Last resolve handling when sending client
certificate in SSLProxy
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47134
Martijn Schoemaker <ap...@shoenix.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #23569|0 |1
is obsolete| |
--- Comment #1 from Martijn Schoemaker <ap...@shoenix.net> 2009-05-01 07:24:42 PST ---
Created an attachment (id=23570)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=23570)
Patch for sending first configured client cert as last resolve.
Updated the patch to conform to patch submission guidelines.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org