httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 47492] New: SSLVerifyClient require_no_ca
Date Wed, 08 Jul 2009 01:45:16 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=47492

           Summary: SSLVerifyClient require_no_ca
           Product: Apache httpd-2
           Version: 2.2.11
          Platform: All
               URL: http://dig.csail.mit.edu/2009/mod_ssl-require_no_ca/mo
                    d_ssl-2.2.11-require_no_ca.patch
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: presbrey@gmail.com


Created an attachment (id=23937)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=23937)
SSLVerifyClient require_no_ca patch for httpd-2.2.11

This patch submission implements an additional option for the SSLVerifyClient
directive: require_no_ca.  When configured, this option requires that clients
present SSL certificates but allows certificates issued by CAs unknown to the
server.

This feature is especially useful for SSL-based authentication schemes
implementing trust models independent of typical enterprise CA/chain
verification.  The optional_no_ca option is insufficient for widely-deployed
solutions of this fashion since "'optional' doesn't work with all browsers"
[1].

One example making use of this configuration is the FOAF+SSL [2] protocol which
allows a client to assert an identity specified as a URI in the X509v3
extension subjectAltName of their certificate. After SSL negotiation by
mod_ssl, mod_authn_webid [3] pulls the URI via ssl_ext_lookup, calculates the
modulus and exponent of the client certificate, and authenticates the user to
this URI identity if the mod/exp published at the URI match those of the
presented certificate.

Please consider this short patch for inclusion.  It applies cleanly to release
2.2.11.

[1] http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslverifyclient
[2] http://esw.w3.org/topic/foaf+ssl
[3] http://dig.csail.mit.edu/2009/mod_authn_webid/

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message