Return-Path: Delivered-To: apmail-httpd-bugs-archive@www.apache.org Received: (qmail 72490 invoked from network); 5 Dec 2008 17:26:46 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 5 Dec 2008 17:26:46 -0000 Received: (qmail 36597 invoked by uid 500); 5 Dec 2008 17:26:58 -0000 Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org Received: (qmail 36570 invoked by uid 500); 5 Dec 2008 17:26:58 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: "Apache HTTPD Bugs Notification List" List-Id: Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 36556 invoked by uid 99); 5 Dec 2008 17:26:58 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 05 Dec 2008 09:26:58 -0800 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 05 Dec 2008 17:25:37 +0000 Received: by brutus.apache.org (Postfix, from userid 33) id 67A88234C316; Fri, 5 Dec 2008 09:26:25 -0800 (PST) From: bugzilla@apache.org To: bugs@httpd.apache.org Subject: DO NOT REPLY [Bug 46355] New: Support to protect multiple resources via x.509 client auth certificates that are issued off different Issuing CAs that are issued off the same Root CA X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: newchanged X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Apache httpd-2 X-Bugzilla-Component: mod_ssl X-Bugzilla-Keywords: X-Bugzilla-Severity: enhancement X-Bugzilla-Who: m.gonzalezlee@gmail.com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P1 X-Bugzilla-Assigned-To: bugs@httpd.apache.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: Message-ID: Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Date: Fri, 5 Dec 2008 09:26:25 -0800 (PST) X-Virus-Checked: Checked by ClamAV on apache.org https://issues.apache.org/bugzilla/show_bug.cgi?id=46355 Summary: Support to protect multiple resources via x.509 client auth certificates that are issued off different Issuing CAs that are issued off the same Root CA Product: Apache httpd-2 Version: 2.2.10 Platform: PC OS/Version: Windows XP Status: NEW Severity: enhancement Priority: P1 Component: mod_ssl AssignedTo: bugs@httpd.apache.org ReportedBy: m.gonzalezlee@gmail.com I have attempted to configure the Apache web server to protect 2 different resources (/protected and /protected2) with X.509 client authentication making use of certificates issued off 2 different issuing CAs that were issued of the same Root CA. Note that both resources are protected by the same listener listening on 443. Note also that this issue is related to the client trust list and not server trust list (i.e. the bundle of CA certificates configured to support either Server SSL or Client SSL). The test PKI hierarchy I am testing against looks as follows: Root CA | ----------------------------------------- | | | Issuing CA1 Issuing CA2 Issuing CA3 (issuing certs (issuing certs (issuing certs to protect to protect to protect another '/protected') '/protected2') web server) However, I could not configure Apache to protect such resources accordingly. If this can be done, please let me know, although my testing indicates that it can not, hence raising this bug report! The best I could achieve is to protect BOTH resources (/protected and /protected2) making use of the same Issuing CAs, using the following config snippet: SSLEngine on SSLProtocol all SSLCipherSuite HIGH:MEDIUM SSLCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl/server.crt" SSLCertificateKeyFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl/server-unencrypted.key" SSLCertificateChainFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl/server-ca-chain.crt" SSLCACertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl/client-auth-ica-and-root-bundle.crt" SSLCADNRequestFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl/client-auth-ica-bundle.crt" SSLVerifyClient none SSLVerifyClient require SSLVerifyDepth 2 SSLVerifyClient require SSLVerifyDepth 2 However, I would like to be able to protect both resources (/protected and /protected2) making use of certificates issued by *different* Issuing CAs that were in turn issued off the same Root CA (as illustrated above). I tried moving the 'SSLCACertificateFile' directive within the 'Directory' directve, but the server would not start up (producing the error: "SSLCADNRequestFile not allowed here"). The config I would like to have succeeded is: SSLEngine on SSLProtocol all SSLCipherSuite HIGH:MEDIUM SSLCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl/server.crt" SSLCertificateKeyFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl/server-unencrypted.key" SSLCertificateChainFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl/server-ca-chain.crt" SSLCACertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl/client-auth-ica-and-root-bundle.crt" SSLVerifyClient none SSLCADNRequestFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl/client-auth-ica1.crt" SSLVerifyClient require SSLVerifyDepth 2 SSLCADNRequestFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl/client-auth-ica2.crt" SSLVerifyClient require SSLVerifyDepth 2 Can this be achieved in any other way that I may have missed, or is an enhancement request required? Thanks, Manuel. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org