Return-Path: Delivered-To: apmail-httpd-bugs-archive@www.apache.org Received: (qmail 10765 invoked from network); 8 Jul 2009 01:45:32 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 8 Jul 2009 01:45:32 -0000 Received: (qmail 58217 invoked by uid 500); 8 Jul 2009 01:45:41 -0000 Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org Received: (qmail 58160 invoked by uid 500); 8 Jul 2009 01:45:41 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: "Apache HTTPD Bugs Notification List" List-Id: Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 58148 invoked by uid 99); 8 Jul 2009 01:45:41 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 Jul 2009 01:45:41 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 Jul 2009 01:45:38 +0000 Received: by brutus.apache.org (Postfix, from userid 33) id 2701A234C1E9; Tue, 7 Jul 2009 18:45:16 -0700 (PDT) From: bugzilla@apache.org To: bugs@httpd.apache.org Subject: DO NOT REPLY [Bug 47492] New: SSLVerifyClient require_no_ca X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: newchanged X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Apache httpd-2 X-Bugzilla-Component: mod_ssl X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: presbrey@gmail.com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: bugs@httpd.apache.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: Message-ID: Auto-Submitted: auto-generated Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Date: Tue, 7 Jul 2009 18:45:16 -0700 (PDT) X-Virus-Checked: Checked by ClamAV on apache.org https://issues.apache.org/bugzilla/show_bug.cgi?id=47492 Summary: SSLVerifyClient require_no_ca Product: Apache httpd-2 Version: 2.2.11 Platform: All URL: http://dig.csail.mit.edu/2009/mod_ssl-require_no_ca/mo d_ssl-2.2.11-require_no_ca.patch OS/Version: All Status: NEW Severity: normal Priority: P2 Component: mod_ssl AssignedTo: bugs@httpd.apache.org ReportedBy: presbrey@gmail.com Created an attachment (id=23937) --> (https://issues.apache.org/bugzilla/attachment.cgi?id=23937) SSLVerifyClient require_no_ca patch for httpd-2.2.11 This patch submission implements an additional option for the SSLVerifyClient directive: require_no_ca. When configured, this option requires that clients present SSL certificates but allows certificates issued by CAs unknown to the server. This feature is especially useful for SSL-based authentication schemes implementing trust models independent of typical enterprise CA/chain verification. The optional_no_ca option is insufficient for widely-deployed solutions of this fashion since "'optional' doesn't work with all browsers" [1]. One example making use of this configuration is the FOAF+SSL [2] protocol which allows a client to assert an identity specified as a URI in the X509v3 extension subjectAltName of their certificate. After SSL negotiation by mod_ssl, mod_authn_webid [3] pulls the URI via ssl_ext_lookup, calculates the modulus and exponent of the client certificate, and authenticates the user to this URI identity if the mod/exp published at the URI match those of the presented certificate. Please consider this short patch for inclusion. It applies cleanly to release 2.2.11. [1] http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslverifyclient [2] http://esw.w3.org/topic/foaf+ssl [3] http://dig.csail.mit.edu/2009/mod_authn_webid/ -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org