httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 52874] New: Support Use TrustedFirst checking when verifying client certificate chain
Date Fri, 09 Mar 2012 17:24:28 GMT

             Bug #: 52874
           Summary: Support Use TrustedFirst checking when verifying
                    client certificate chain
           Product: Apache httpd-2
           Version: 2.2.3
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: mod_ssl
    Classification: Unclassified

Client Certificate verification expects the client to provide a full
certificate chain back to a trusted root.  However, with the introduction of
Cross-certification configuration, there may be multiple "valid" paths, of
differing scope.  OpenSSL (HEAD/c.a. 1.0.2) has provided support for a Trusted
First flag to verification processing, and I would like to see that make it's
way back into mod_ssl.
As I'm using RHEL-5, I'd like to get EL-5 to update it's mod_ssl (and openssl),
but I'd like to get the patch into mod_ssl's "upstream," as well.

Basically, when verifying the Client certificate, the chain building process
should always check for the "next" (higher) CA Certificate to be in the
"trusted" store on the server-side, and if it finds it there, to use it;
continuing to build the chain from the server's store, ignoring the clients
store where possible.  This will allow clients to provide intermediates up to a
point (making it so the server needn't track all intermediates).  Once the
point of cross-certification is reached, the verification will proceed only
through the servers' version to the Roots/intermediates it trusts, rather than
needing to trust the client-offered chain -- which will vary in trust-scope.

To reproduce:  1. Generate a CA structure that has multiple roots, and issue
one of the intermediates, or one of the "Root" certificates through both CA
structures.  2. Configuration two browser-profiles; one to use each separate
chain.  3. Configure the server to trust one of the Roots, but not the other. 
4.  One profile should "work," and the other should result in a "Local Issuer
not found (20)" type error.
  [Cross-Certification (CC) Root CA]
  [Intermediate CC 1]
  [Re-issued non-CC "Root" CA] <--same keys--> [Self-Signed (SS) Root CA]
                  \                               /
                   \                             /
                    \                           /
             [Intermediate issued from cross-certified CA]
                    [End-entity (user) certificate]

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message