httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 42035] New: - mod_ssl does not grok SHA-256 client certificates (+ fix)
Date Tue, 03 Apr 2007 13:23:12 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42035>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=42035

           Summary: mod_ssl does not grok SHA-256 client certificates (+
                    fix)
           Product: Apache httpd-2
           Version: 2.0.59
          Platform: All
               URL: http://dominique.quatravaux.org/Apache-mod_ssl-SHA256/
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: dominique@quatravaux.org


When trying to authenticate against an Apache 2.0.59 server over HTTP/S using
client certificates, things only go smoothly when using MD5- or SHA1-signed
certificates. SHA256-signed certificates cause an error like so:

  [Tue Apr 03 15:05:09 2007] [error] Certificate Verification: Error (7):
certificate signature failure

yet the certificate is correct according to "openssl verify".

At the bug's URL you will find a test case with appropriate cryptographic keys
and certificates, a bare-bones httpd.conf, and a Makefile to start the server,
query it twice using "wget" and stop it.  The second request uses a SHA-256
certificate, and causes an error 500 (instead of the expected 404), and the
aforementioned error message is written into the error log.

Calling OpenSSL_add_all_algorithms() as part of ssl_init_SSLLibrary() in
ssl_engine_init.c and recompiling Apache solves the problem. My educated guess
is that mod_ssl doesn't know about SHA-256 by default, as no SSL or TLS cipher
uses it.

There appears to be such a call to OpenSSL_add_all_algorithms() in httpd 2.2.4's
init sequence already, although I haven't confirmed that my test case works with
it (I can't seem to get 2.2.4 to compile just now).

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message