httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 49731] New: SSLVerifyClient and SSL virtual hosts don't work quite right
Date Mon, 09 Aug 2010 23:20:14 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=49731

           Summary: SSLVerifyClient and SSL virtual hosts don't work quite
                    right
           Product: Apache httpd-2
           Version: 2.2.6
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: minor
          Priority: P2
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: dlongley@digitalbazaar.com


If your apache configuration consists of multiple SSL virtual hosts on the same
IP that have different values for SSLVerifyClient then only the first
configuration is used.

For instance, if the configuration for 0-example1.com sets SSLVerifyClient to
'none' and the configuration for 1-example2.com sets SSLVerifyClient to
'optional_no_ca', then no CertificateRequest message will be sent out over the
TLS protocol regardless of the SNI value in the ClientHello extension.

If the situation is reversed (0-example2.com and 1-example1.com) then a
CertificateRequest message will be sent out for both domains.

This can be confirmed using two Apache website configurations with SSL enabled
(one with 'SSLVerifyClient none' and the other with 'SSLVerifyClient
optional_no_ca') and openSSL's s_client tool as the client:

openssl s_client -tls1 -debug -msg -state -servername example1.com
openssl s_client -tls1 -debug -msg -state -servername example2.com

Apache's SNI handler should determine whether or not to send a
CertificateRequest (modify peer verify mode) based on the requested host,
however, it does not.

This bug could be particularly painful for large collections of SSL-enabled
sites that are served by Apache where only one or two of the sites require or
might require client-side certificates. If one of the configurations for those
sites isn't loaded first then client-side certificates will never be sent. If
one of them is loaded first then every other SSL site will either simply fail
(in the cert-required case) or cause browsers to pop up client-certificate UIs
(in the cert-optional case where the browser user has an available certificate
in their browser key-chain).

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message