httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kahn Gillmor <>
Subject Re: mod_ssl patch: use new OpenSSL features to autofix cert chains
Date Wed, 26 Mar 2014 13:47:43 GMT
On 03/26/2014 07:11 AM, Emilia Kasper wrote:
> The patch fixes a) by sanity-checking the chain and chopping self-signed
> roots. I believe it's harmless to turn on by default as the rebuild step
> will either yield a valid chain or preserve the original configuration.

I like this suggestion.  with a worst-case-engineering mindset, though,
i wonder if there aren't some places where this might cause problems

is it possible that there exist cross-signed "root certs", and clients
which auto-chain them back to another cert?  for example:

 CA X has older root cert Y.

    X creates new root cert Z.

    X creates new intermediate CA cert Y', with the same
SubjectPublicKey as Y, but signed with Z, to indicate that browsers that
accept certs signed by Z should also accept certs signed by Y.  (perhaps
Y' has a shorter expiration date than Y, to indicate a new transition plan)

Some older clients ship Y in their root store, but do not know about Z.

Some newer clients ship Z in their root store, but deliberately do not
ship Y' or Y.

I'm assuming that a client would note the subject keyID and the proper
signature to terminate the chain at Y or Y' if it has either of them in
its root store.  (maybe i'm mistaken about this)

If a mod_ssl server's EE cert W is signed by Y, and they ship Y,W, then
they work for all clients.  With this patch applied, they would normally
ship just W; this would fail newer clients.

And of course, the web server could ship Y',W (if they know about Y'),
which would survive this cut.

This is a pretty perverse situation, though, and perhaps the answer is
that CA X just shouldn't do that kind of weird/chained reissuance over
the key in Y.  I've also done no certificate surveys to see if this sort
of scenario has actually happened anywhere in the modern landscape.

> I've no good idea how to reliably detect and fix missing intermediates but
> would be happy to try out any good suggestions.


If the server has a list of root CAs that it expects clients to have, it
should be straightforward to detect missing intermediates.  However,
SSLCACertificate{Path,File} and SSLCADNRequest{Path,File} don't work
here, because the list of CAs that a server is willing to accept for
client certs is orthogonal to the list of CAs that it expects a client
to hold.  (mod_ssl's minor conflation of these two purposes by its
willingness to build server chains from the SSLCACertificate{Path,File}
is a bad idea because it encourages administrators to accept client
certs from the CAs that issued the server's cert)

One option would be to use OpenSSL's default CA path for this (e.g.
/etc/ssl/certs in debian), and to introduce another configuration
directive for administrators to override this choice.

Alternately, we could encourage the administrator to list the full chain
(including the root) in SSLCertificateChainFile.  This would allow for
reliable detection, and wouldn't bloat the handshake if the patch here
is applied.


The best way i see to autocorrect this is to have a publicly-accessible
list of intermediate certificate authorities (and this archive might as
well include public root authorities as well), addressable by
SubjectKeyID.  This seems like something that could be pulled from a
network survey, and could be verified automatically.  Maybe it already

Then when mod_ssl notes that an intermediate is missing, it could log an
error message saying "an intermediate CA is missing.  you probably want
to load append an intermediate certificate from<subjectkeyid> to

A non-minimal web server installation might want to bundle such a
dataset of intermediate CAs alongside their apache installation (or
provide it as an auxiliary package) to allow the admin to do an
automatic local fetch.  But in this case, it's conceivable that you
could just point mod_ssl at this indexed local cache (via some new
directive, i think -- we can't really overload any of the existing ones)
and have it construct the chain without assistance from the
administrator at all.

CT might be a good place to gather this information from -- are there
plans to ensure that all intermediate CAs are logged publicly?


View raw message