httpd-test-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: [PATCH] Enable client certificate for https-https proxy tests
Date Wed, 18 Feb 2004 21:05:24 GMT
On Mon, Aug 04, 2003 at 12:37:51PM -0700, Sander Temme wrote:
> Hi all,
> 
> This patch fixes a problem that occurs when RSA SSL-C is used as back-end
> for mod_ssl:

Just looked into this again, we'd seen this same problem on a few boxes
(using OpenSSL of course), but not on others, and had been using exactly
the same patch as you, and now I triggered the thing again today.

It is a directory ordering bug (they are the order of the day it seems
:): successful operation depends on readdir() returning client_ok.pem
first, which is not guaranteed but happens sometimes; since all the
certs match the CA names offered any of them will be chosen.  So this
really is a correct fix.

I suppose there is a mod_ssl bug here too: SSLP.M.C.Path is not
consistent in determining which client cert is used if several would
match the CA names offered, it just relies on directory ordering.

I'll check this in, anyway.  Very belated thanks :)

> Index: t/conf/ssl/proxyssl.conf.in
> ===================================================================
> RCS file: 
> /home/cvspublic/httpd-test/perl-framework/t/conf/ssl/proxyssl.conf.in,v
> retrieving revision 1.11
> diff -u -r1.11 proxyssl.conf.in
> --- t/conf/ssl/proxyssl.conf.in 2 May 2002 19:25:52 -0000       1.11
> +++ t/conf/ssl/proxyssl.conf.in 4 Aug 2003 19:30:00 -0000
> @@ -34,7 +34,7 @@
>          #these are not on by default in the 1.x based mod_ssl
>          <IfDefine APACHE2>
>              SSLProxyEngine On
> -            #SSLProxyMachineCertificateFile @SSLCA@/asf/proxy/client_ok.pem
> +            SSLProxyMachineCertificateFile @SSLCA@/asf/proxy/client_ok.pem
>              #client_ok.pem should be loaded first
>              SSLProxyMachineCertificatePath @SSLCA@/asf/proxy
>              SSLProxyCACertificateFile @SSLCA@/asf/certs/ca.crt



Mime
View raw message