httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 46355] New: Support to protect multiple resources via x.509 client auth certificates that are issued off different Issuing CAs that are issued off the same Root CA
Date Fri, 05 Dec 2008 17:26:25 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=46355

           Summary: Support to protect multiple resources via x.509 client
                    auth certificates that are issued off different Issuing
                    CAs that are issued off the same Root CA
           Product: Apache httpd-2
           Version: 2.2.10
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: enhancement
          Priority: P1
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: m.gonzalezlee@gmail.com


I have attempted to configure the Apache web server to protect 2 different
resources (/protected and /protected2) with X.509 client authentication making
use of certificates issued off 2 different issuing CAs that were issued of the
same Root CA. Note that both resources are protected by the same listener
listening on 443. Note also that this issue is related to the client trust list
and not server trust list (i.e. the bundle of CA certificates configured to
support either Server SSL or Client SSL).

The test PKI hierarchy I am testing against looks as follows:

                             Root CA
                                |
             -----------------------------------------
             |                  |                    |
        Issuing CA1       Issuing CA2           Issuing CA3

       (issuing certs    (issuing certs        (issuing certs
        to protect        to protect            to protect another
        '/protected')     '/protected2')        web server)


However, I could not configure Apache to protect such resources accordingly. If
this can be done, please let me know, although my testing indicates that it can
not, hence raising this bug report!

The best I could achieve is to protect BOTH resources (/protected and
/protected2) making use of the same Issuing CAs, using the following config
snippet:

SSLEngine on
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile "C:/Program Files/Apache Software
Foundation/Apache2.2/conf/ssl/server.crt"
SSLCertificateKeyFile "C:/Program Files/Apache Software
Foundation/Apache2.2/conf/ssl/server-unencrypted.key"
SSLCertificateChainFile "C:/Program Files/Apache Software
Foundation/Apache2.2/conf/ssl/server-ca-chain.crt"
SSLCACertificateFile "C:/Program Files/Apache Software
Foundation/Apache2.2/conf/ssl/client-auth-ica-and-root-bundle.crt"
SSLCADNRequestFile "C:/Program Files/Apache Software
Foundation/Apache2.2/conf/ssl/client-auth-ica-bundle.crt"
SSLVerifyClient none

<Directory "C:/Program Files/Apache Software
Foundation/Apache2.2/htdocs-443/protected">
  SSLVerifyClient require
  SSLVerifyDepth  2
</Directory>

<Directory "C:/Program Files/Apache Software
Foundation/Apache2.2/htdocs-443/protected2">
  SSLVerifyClient require
  SSLVerifyDepth  2
</Directory>


However, I would like to be able to protect both resources (/protected and
/protected2) making use of certificates issued by *different* Issuing CAs that
were in turn issued off the same Root CA (as illustrated above). I tried moving
the 'SSLCACertificateFile' directive within the 'Directory' directve, but the
server would not start up (producing the error: "SSLCADNRequestFile not allowed
here"). The config I would like to have succeeded is:

SSLEngine on
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile "C:/Program Files/Apache Software
Foundation/Apache2.2/conf/ssl/server.crt"
SSLCertificateKeyFile "C:/Program Files/Apache Software
Foundation/Apache2.2/conf/ssl/server-unencrypted.key"
SSLCertificateChainFile "C:/Program Files/Apache Software
Foundation/Apache2.2/conf/ssl/server-ca-chain.crt"
SSLCACertificateFile "C:/Program Files/Apache Software
Foundation/Apache2.2/conf/ssl/client-auth-ica-and-root-bundle.crt"
SSLVerifyClient none

<Directory "C:/Program Files/Apache Software
Foundation/Apache2.2/htdocs-443/protected">
  SSLCADNRequestFile "C:/Program Files/Apache Software
Foundation/Apache2.2/conf/ssl/client-auth-ica1.crt"
  SSLVerifyClient require
  SSLVerifyDepth  2
</Directory>

<Directory "C:/Program Files/Apache Software
Foundation/Apache2.2/htdocs-443/protected2">
  SSLCADNRequestFile "C:/Program Files/Apache Software
Foundation/Apache2.2/conf/ssl/client-auth-ica2.crt"
  SSLVerifyClient require
  SSLVerifyDepth  2
</Directory>


Can this be achieved in any other way that I may have missed, or is an
enhancement request required?

Thanks,

Manuel.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message