httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 35083] - Certificate validation problems trapping
Date Wed, 31 Aug 2005 10:33:23 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=35083>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=35083





------- Additional Comments From jorton@redhat.com  2005-08-31 12:33 -------
The specific configuration I'm talking about would be:

  SSLVerifyClient optional_no_ca
  SSLRequire %{SSL_VERIFY_CLIENT} eq "SUCCESS"
  ErrorDocument 403 /bzzt.html

but, I guess for the case where the cert has been revoked by a CRL, or the cert
has expired, this is not sufficient, since the handshake will fail in those cases.

So the minimal enhancement that I think is acceptable is to have more
fine-grained failure modes for SSLVerifyClient.  e.g.

  SSLVerifyCLient optional_revoked
  SSLVerifyClient optional_expired

or something like that.  Maybe ideally it would be possible to combine such
options perhaps, allowing

  SSLVerifyClient optional no_ca revoked expired

or using a separate directive:

  SSLVerifyClient optional
  SSLVerifyIgnoreFailures no_ca revoked expired
  
I'm not sure about the best UI here.

So I think a patch for something like this would be acceptable and is the best
way to implement this feature.  This is critical code and has a bad security
history though so it needs to be done carefully.


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message