httpd-test-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sander Temme <scte...@covalent.net>
Subject [PATCH] Enable client certificate for https-https proxy tests
Date Mon, 04 Aug 2003 19:37:51 GMT
Hi all,

This patch fixes a problem that occurs when RSA SSL-C is used as back-end
for mod_ssl:

Index: t/conf/ssl/proxyssl.conf.in
===================================================================
RCS file: 
/home/cvspublic/httpd-test/perl-framework/t/conf/ssl/proxyssl.conf.in,v
retrieving revision 1.11
diff -u -r1.11 proxyssl.conf.in
--- t/conf/ssl/proxyssl.conf.in 2 May 2002 19:25:52 -0000       1.11
+++ t/conf/ssl/proxyssl.conf.in 4 Aug 2003 19:30:00 -0000
@@ -34,7 +34,7 @@
         #these are not on by default in the 1.x based mod_ssl
         <IfDefine APACHE2>
             SSLProxyEngine On
-            #SSLProxyMachineCertificateFile @SSLCA@/asf/proxy/client_ok.pem
+            SSLProxyMachineCertificateFile @SSLCA@/asf/proxy/client_ok.pem
             #client_ok.pem should be loaded first
             SSLProxyMachineCertificatePath @SSLCA@/asf/proxy
             SSLProxyCACertificateFile @SSLCA@/asf/certs/ca.crt

If I don't explicitly specify the proxy client cert when running on SSL-C,
the wrong certificate gets picked for proxy client authentication. The
result is a 403 Forbidden from the upstream, and a 502 Bad Gateway from the
proxy. 

The regular mod_ssl/OpenSSL combination is not affected, but is not broken
by this patch either. Tested on Darwin (OpenSSL), Linux (both OpenSSL and
SSL-C) and Solaris (both).

S.

-- 
Covalent Technologies                             sctemme@covalent.net
Engineering group                                Voice: (415) 856 4214
303 Second Street #375 South                       Fax: (415) 856 4210
San Francisco CA 94107

   PGP Fingerprint: 7A8D B189 E871 80CB 9521  9320 C11E 7B47 964F 31D9

=======================================================
This email message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message
=======================================================


Mime
View raw message