httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 47134] New: Last resolve handling when sending client certificate in SSLProxy
Date Fri, 01 May 2009 13:46:58 GMT

           Summary: Last resolve handling when sending client certificate
                    in SSLProxy
           Product: Apache httpd-2
           Version: 2.2.11
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: mod_ssl

Created an attachment (id=23569)
 --> (
Patch for sending first configured client cert as last resolve

Currently the selection of the correct client certificate when using the
SSLProxy functionality is fully dependent on the CA list returned by the
server. When no exact match is found between client cert issuer and one of the
CA's in the list from the server the connection fails.

In my environment we communicate with a probably misconfigured server that has
not got the exact same issuer CA in it's list as it used in the provided client
certificate. This causes the connection to fail because no correct client cert
can be found. The problem is that the provider probably assumes that the
complete CA chain is tested against all returned CA's from the server since the
client certificate's root cert is indeed in the list, but the current code only
seems to check against the issuer as found in the client cert and not the
entire CA chain.

To solve the problem the attached patch was done against 2.2.11 to allow the
certificate selection routine to return the first configured certificate in the
list if no exact match can be found. 

I realise that this is probably bugfixing at the wrong end, but if so,
questions must be made if the server was configured incorrectly, or if the way
mod_ssl evaluates the candidate certificates is the correct way.

In both cases I see no harm in returning the first client cert in the list as a
last resolve since existing functionality is not changed, but some might

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message