View | Details | Raw Unified | Return to bug 45922
Collapse All | Expand All

(-)docs/manual/mod/mod_ssl.xml (-56 / +79 lines)
Lines 83-89 Link Here
83
<tr><td><code>SSL_CLIENT_A_KEY</code></td>              <td>string</td>    <td>Algorithm used for the public key of client's certificate</td></tr>
83
<tr><td><code>SSL_CLIENT_A_KEY</code></td>              <td>string</td>    <td>Algorithm used for the public key of client's certificate</td></tr>
84
<tr><td><code>SSL_CLIENT_CERT</code></td>               <td>string</td>    <td>PEM-encoded client certificate</td></tr>
84
<tr><td><code>SSL_CLIENT_CERT</code></td>               <td>string</td>    <td>PEM-encoded client certificate</td></tr>
85
<tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td>    <td>PEM-encoded certificates in client certificate chain</td></tr>
85
<tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td>    <td>PEM-encoded certificates in client certificate chain</td></tr>
86
<tr><td><code>SSL_CLIENT_VERIFY</code></td>             <td>string</td>    <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS</code> or <code>FAILED:</code><em>reason</em></td></tr>
86
<tr><td><code>SSL_CLIENT_VERIFY</code></td>             <td>string</td>    <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS:<em>reason</em></code> or <code>FAILED:</code><em>reason</em></td></tr>
87
<tr><td><code>SSL_SERVER_M_VERSION</code></td>          <td>string</td>    <td>The version of the server certificate</td></tr>
87
<tr><td><code>SSL_SERVER_M_VERSION</code></td>          <td>string</td>    <td>The version of the server certificate</td></tr>
88
<tr><td><code>SSL_SERVER_M_SERIAL</code></td>           <td>string</td>    <td>The serial of the server certificate</td></tr>
88
<tr><td><code>SSL_SERVER_M_SERIAL</code></td>           <td>string</td>    <td>The serial of the server certificate</td></tr>
89
<tr><td><code>SSL_SERVER_S_DN</code></td>               <td>string</td>    <td>Subject DN in server's certificate</td></tr>
89
<tr><td><code>SSL_SERVER_S_DN</code></td>               <td>string</td>    <td>Subject DN in server's certificate</td></tr>
Lines 869-874 Link Here
869
specify an <em>all-in-one</em> file containing a concatenation of
869
specify an <em>all-in-one</em> file containing a concatenation of
870
PEM-encoded CA certificates.</p>
870
PEM-encoded CA certificates.</p>
871
871
872
<p>For testing purposes, any available certificate (signed by any CA)
873
may be requested by specifying a file containing only a single space
874
character. However note that while this trick happens to work with
875
most browsers, the SSL/TLS standards do not define the appropriate
876
behavior when the set of acceptable CA names is empty, so this is not
877
guaranteed to work with all browsers.</p>
878
872
<example><title>Example</title>
879
<example><title>Example</title>
873
SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt
880
SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt
874
</example>
881
</example>
Lines 966-996 Link Here
966
973
967
<usage>
974
<usage>
968
<p>
975
<p>
969
This directive sets the Certificate verification level for the Client
976
This directive sets the Certificate verification level for Client Certificate
970
Authentication. Notice that this directive can be used both in per-server and
977
Authentication. Notice that this directive can be used both in per-server and
971
per-directory context. In per-server context it applies to the client
978
per-directory context. In per-server context it applies to the client
972
authentication process used in the standard SSL handshake when a connection is
979
authentication process in the initial SSL handshake when a connection is
973
established. In per-directory context it forces a SSL renegotation with the
980
established. In per-directory context it forces a SSL renegotation with the
974
reconfigured client verification level after the HTTP request was read but
981
reconfigured client verification level after the HTTP request is read but
975
before the HTTP response is sent.</p>
982
before the HTTP response is sent.</p>
976
<p>
983
<p>
977
The following levels are available for <em>level</em>:</p>
984
The following levels are available for <em>level</em>:</p>
978
<ul>
985
<ul>
979
<li><strong>none</strong>:
986
<li><code>none</code>
980
     no client Certificate is required at all</li>
987
    <p>No client Certificate is requested.</p></li>
981
<li><strong>optional</strong>:
988
<li><code>optional_no_verify</code>
982
     the client <em>may</em> present a valid Certificate</li>
989
    <p>The client is asked to present a Certificate signed by one of the
983
<li><strong>require</strong>:
990
    acceptable CA Certificates, but will be accepted even if no Certificate is
984
     the client <em>has to</em> present a valid Certificate</li>
991
    provided, if the provided Certificate is not signed by one of the trusted
985
<li><strong>optional_no_ca</strong>:
992
    CA Certificates, or if the provided Certificate has been revoked or is
986
     the client may present a valid Certificate<br />
993
    otherwise invalid.</p></li>
987
     but it need not to be (successfully) verifiable.</li>
994
<li><code>optional_no_ca</code>
995
    <p>The client is asked to present a Certificate signed by one of the
996
    acceptable CA Certificates, and will be accepted even if no Certificate is
997
    provided or if the provided Certificate is not signed by one of the
998
    trusted CA Certificates, but will be disconnected if the provided
999
    Certificate has been revoked or is otherwise invalid.</p></li>
1000
<li><code>optional</code>
1001
    <p>The client is asked to present a Certificate signed by one of the
1002
    acceptable CA Certificates, and will be accepted even if no Certificate is
1003
    provided, but will be disconnected if the provided Certificate is not
1004
    signed by one of the trusted CA Certificates, has been revoked, or is
1005
    otherwise invalid.</p></li>
1006
<li><code>require</code>
1007
    <p>The client is asked to present a Certificate signed by one of the
1008
    acceptable CA Certificates, and will be disconnected if no Certificate is
1009
    provided, if the provided Certificate is not signed by on of the trusted CA
1010
    Certificates, or if the provided Certificate has been revoked or is
1011
    otherwise invalid.</p></li>
988
</ul>
1012
</ul>
989
<p>In practice only levels <strong>none</strong> and
1013
<p>In practice, most users will want either <strong>none</strong> or
990
<strong>require</strong> are really interesting, because level
1014
<strong>require</strong>, as the other levels allow users to bypass the
991
<strong>optional</strong> doesn't work with all browsers and level
1015
authentication mechanism.  However, the other levels may be useful for testing,
992
<strong>optional_no_ca</strong> is actually against the idea of
1016
or if your web application does it's own Certificate verification.</p>
993
authentication (but can be used to establish SSL test pages, etc.)</p>
1017
<p>See the <directive module="mod_ssl">SSLCADNRequestFile</directive> and
1018
<directive module="mod_ssl">SSLCADNRequestPath</directive> directives to
1019
configure the list of acceptable CA Certificates, and see the
1020
<directive module="mod_ssl">SSLCACertificateFile</directive> and
1021
<directive module="mod_ssl">SSLCACertificatePath</directive> directives to
1022
configure the list of trusted CA Certificates.</p>
1023
<p>Note that if SSLv2 is used with one of the <strong>optional</strong> levels
1024
and no Certificate signed by one of the acceptable CA Certificates is available,
1025
the browser may give up and disconnect rather than continuing without providing
1026
a Certificate. If SSLv3 or TLS are used, the browser should always either
1027
provide a Certificate or attempt to continue without a Certificate.</p>
994
<example><title>Example</title>
1028
<example><title>Example</title>
995
SSLVerifyClient require
1029
SSLVerifyClient require
996
</example>
1030
</example>
Lines 1420-1460 Link Here
1420
<syntax>SSLProxyVerify <em>level</em></syntax>
1454
<syntax>SSLProxyVerify <em>level</em></syntax>
1421
<default>SSLProxyVerify none</default>
1455
<default>SSLProxyVerify none</default>
1422
<contextlist><context>server config</context>
1456
<contextlist><context>server config</context>
1423
<context>virtual host</context>
1457
<context>virtual host</context></contextlist>
1424
<context>directory</context>
1425
<context>.htaccess</context></contextlist>
1426
<override>AuthConfig</override>
1427
1458
1428
<usage>
1459
<usage>
1429
1430
<p>When a proxy is configured to forward requests to a remote SSL
1460
<p>When a proxy is configured to forward requests to a remote SSL
1431
server, this directive can be used to configure certificate
1461
server, this directive can be used to configure verification of the
1432
verification of the remote server.  Notice that this directive can be
1462
remote server's SSL Certificate.</p>
1433
used both in per-server and per-directory context. In per-server
1434
context it applies to the remote server authentication process used in
1435
the standard SSL handshake when a connection is established by the
1436
proxy. In per-directory context it forces a SSL renegotation with the
1437
reconfigured remote server verification level after the HTTP request
1438
was read but before the HTTP response is sent.</p>
1439
1440
<p>
1463
<p>
1441
The following levels are available for <em>level</em>:</p>
1464
The following levels are available for <em>level</em>:</p>
1442
<ul>
1465
<ul>
1443
<li><strong>none</strong>:
1466
<li><code>none</code>
1444
     no remote server Certificate is required at all</li>
1467
    <p>No remote server Certificate verification will be performed.</p></li>
1445
<li><strong>optional</strong>:
1468
<li><code>optional_no_verify</code>
1446
     the remote server <em>may</em> present a valid Certificate</li>
1469
    <p>If the remote server provides a Certificate, it will be verified, but
1447
<li><strong>require</strong>:
1470
    the result will be ignored.</p></li>
1448
     the remote server <em>has to</em> present a valid Certificate</li>
1471
<li><code>optional_no_ca</code>
1449
<li><strong>optional_no_ca</strong>:
1472
    <p>If the remote server provides a Certificate, it will be verified. The
1450
     the remote server may present a valid Certificate<br />
1473
    connection will be accepted even if the Certificate is not signed by one of
1451
     but it need not to be (successfully) verifiable.</li>
1474
    the CAs listed in
1475
    <directive module="mod_ssl">SSLProxyCACertificateFile</directive> or
1476
    <directive module="mod_ssl">SSLProxyCACertificatePath</directive>, but will
1477
    be rejected if verification fails for any other reason.</p></li>
1478
<li><code>optional</code>
1479
    <p>If the remote server provides a Certificate, it will be verified, and the
1480
    connection will be rejected if verification fails.</p></li>
1481
<li><code>require</code>
1482
    <p>The connection will be rejected unless the remote server provides a
1483
    Certificate and that Certificate is successfully verified.</p></li>
1452
</ul>
1484
</ul>
1453
<p>In practice only levels <strong>none</strong> and
1485
<p>In practice, most users will want either <strong>none</strong> or
1454
<strong>require</strong> are really interesting, because level
1486
<strong>require</strong>, as the other levels allow a remote server to bypass
1455
<strong>optional</strong> doesn't work with all servers and level
1487
the authentication mechanism.  However, the other levels may be useful for
1456
<strong>optional_no_ca</strong> is actually against the idea of
1488
testing.</p>
1457
authentication (but can be used to establish SSL test pages, etc.)</p>
1458
<example><title>Example</title>
1489
<example><title>Example</title>
1459
SSLProxyVerify require
1490
SSLProxyVerify require
1460
</example>
1491
</example>
Lines 1468-1487 Link Here
1468
<syntax>SSLProxyVerifyDepth <em>number</em></syntax>
1499
<syntax>SSLProxyVerifyDepth <em>number</em></syntax>
1469
<default>SSLProxyVerifyDepth 1</default>
1500
<default>SSLProxyVerifyDepth 1</default>
1470
<contextlist><context>server config</context>
1501
<contextlist><context>server config</context>
1471
<context>virtual host</context>
1502
<context>virtual host</context></contextlist>
1472
<context>directory</context>
1473
<context>.htaccess</context></contextlist>
1474
<override>AuthConfig</override>
1475
1503
1476
<usage>
1504
<usage>
1477
<p>
1505
<p>
1478
This directive sets how deeply mod_ssl should verify before deciding that the
1506
This directive sets how deeply mod_ssl should verify before deciding that the
1479
remote server does not have a valid certificate. Notice that this directive can be
1507
remote server does not have a valid certificate.</p>
1480
used both in per-server and per-directory context. In per-server context it
1481
applies to the client authentication process used in the standard SSL
1482
handshake when a connection is established. In per-directory context it forces
1483
a SSL renegotation with the reconfigured remote server verification depth after the
1484
HTTP request was read but before the HTTP response is sent.</p>
1485
<p>
1508
<p>
1486
The depth actually is the maximum number of intermediate certificate issuers,
1509
The depth actually is the maximum number of intermediate certificate issuers,
1487
i.e. the number of CA certificates which are max allowed to be followed while
1510
i.e. the number of CA certificates which are max allowed to be followed while
(-)modules/ssl/ssl_private.h (-1 / +2 lines)
Lines 231-237 Link Here
231
    SSL_CVERIFY_NONE            = 0,
231
    SSL_CVERIFY_NONE            = 0,
232
    SSL_CVERIFY_OPTIONAL        = 1,
232
    SSL_CVERIFY_OPTIONAL        = 1,
233
    SSL_CVERIFY_REQUIRE         = 2,
233
    SSL_CVERIFY_REQUIRE         = 2,
234
    SSL_CVERIFY_OPTIONAL_NO_CA  = 3
234
    SSL_CVERIFY_OPTIONAL_NO_CA  = 3,
235
    SSL_CVERIFY_OPTIONAL_NO_VERIFY = 4
235
} ssl_verify_t;
236
} ssl_verify_t;
236
237
237
#define SSL_VERIFY_PEER_STRICT \
238
#define SSL_VERIFY_PEER_STRICT \
(-)modules/ssl/ssl_engine_init.c (-1 / +2 lines)
Lines 610-616 Link Here
610
    }
610
    }
611
611
612
    if ((mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
612
    if ((mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
613
        (mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
613
        (mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) ||
614
        (mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY))
614
    {
615
    {
615
        verify |= SSL_VERIFY_PEER;
616
        verify |= SSL_VERIFY_PEER;
616
    }
617
    }
(-)modules/ssl/ssl_engine_config.c (+3 lines)
Lines 916-921 Link Here
916
    else if (strcEQ(arg, "optional_no_ca")) {
916
    else if (strcEQ(arg, "optional_no_ca")) {
917
        *id = SSL_CVERIFY_OPTIONAL_NO_CA;
917
        *id = SSL_CVERIFY_OPTIONAL_NO_CA;
918
    }
918
    }
919
    else if (strcEQ(arg, "optional_no_verify")) {
920
        *id = SSL_CVERIFY_OPTIONAL_NO_VERIFY;
921
    }
919
    else {
922
    else {
920
        return apr_pstrcat(parms->temp_pool, parms->cmd->name,
923
        return apr_pstrcat(parms->temp_pool, parms->cmd->name,
921
                           ": Invalid argument '", arg, "'",
924
                           ": Invalid argument '", arg, "'",
(-)modules/ssl/ssl_engine_io.c (-10 / +12 lines)
Lines 1200-1207 Link Here
1200
    if ((verify_result != X509_V_OK) ||
1200
    if ((verify_result != X509_V_OK) ||
1201
        sslconn->verify_error)
1201
        sslconn->verify_error)
1202
    {
1202
    {
1203
        if (ssl_verify_error_is_optional(verify_result) &&
1203
        const char *error = sslconn->verify_error ?
1204
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
1204
            sslconn->verify_error :
1205
            X509_verify_cert_error_string(verify_result);
1206
1207
        if ((ssl_verify_error_is_optional(verify_result) &&
1208
            sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) ||
1209
            sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY)
1205
        {
1210
        {
1206
            /* leaving this log message as an error for the moment,
1211
            /* leaving this log message as an error for the moment,
1207
             * according to the mod_ssl docs:
1212
             * according to the mod_ssl docs:
Lines 1212-1228 Link Here
1212
             * in 1.x
1217
             * in 1.x
1213
             */
1218
             */
1214
            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
1219
            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
1215
                          "SSL client authentication failed, "
1220
                          "SSL client authentication failed, accepting "
1216
                          "accepting certificate based on "
1221
                          "certificate based on \"SSLVerifyClient "
1217
                          "\"SSLVerifyClient optional_no_ca\" "
1222
                          "optional_no_ca\" or \"SSLVerifyClient "
1218
                          "configuration");
1223
                          "optional_no_verify\" configuration: %s",
1224
                          error ? error : "unknown");
1219
            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server);
1225
            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server);
1220
        }
1226
        }
1221
        else {
1227
        else {
1222
            const char *error = sslconn->verify_error ?
1223
                sslconn->verify_error :
1224
                X509_verify_cert_error_string(verify_result);
1225
1226
            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
1228
            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
1227
                         "SSL client authentication failed: %s",
1229
                         "SSL client authentication failed: %s",
1228
                         error ? error : "unknown");
1230
                         error ? error : "unknown");
(-)modules/ssl/ssl_engine_vars.c (-2 / +5 lines)
Lines 617-625 Link Here
617
    else if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs != NULL)
617
    else if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs != NULL)
618
        /* client verification done successful */
618
        /* client verification done successful */
619
        result = "SUCCESS";
619
        result = "SUCCESS";
620
    else if (vrc == X509_V_OK && vinfo != NULL && strEQ(vinfo, "GENEROUS"))
620
    else if (vinfo != NULL && strEQ(vinfo, "GENEROUS"))
621
        /* client verification done in generous way */
621
        /* client verification done in generous way */
622
        result = "GENEROUS";
622
        if (verr)
623
            result = apr_psprintf(p, "GENEROUS:%s", verr);
624
        else
625
            result = "GENEROUS";
623
    else
626
    else
624
        /* client verification failed */
627
        /* client verification failed */
625
        result = apr_psprintf(p, "FAILED:%s", verr);
628
        result = apr_psprintf(p, "FAILED:%s", verr);
(-)modules/ssl/ssl_engine_kernel.c (-22 / +58 lines)
Lines 519-525 Link Here
519
     * We force a renegotiation if the reconfigured/new verify type is
519
     * We force a renegotiation if the reconfigured/new verify type is
520
     * stronger than the currently active verify type.
520
     * stronger than the currently active verify type.
521
     *
521
     *
522
     * The order is: none << optional_no_ca << optional << require
522
     * The order is: none << optional_no_verify << optional_no_ca << optional << require
523
     *
523
     *
524
     * Additionally the following optimization is possible here: When the
524
     * Additionally the following optimization is possible here: When the
525
     * currently active verify type is "none" but a client certificate is
525
     * currently active verify type is "none" but a client certificate is
Lines 541-548 Link Here
541
541
542
        if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||
542
        if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||
543
            (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) ||
543
            (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) ||
544
            (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_VERIFY) ||
544
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
545
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
545
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
546
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) ||
547
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY))
546
        {
548
        {
547
            verify |= SSL_VERIFY_PEER;
549
            verify |= SSL_VERIFY_PEER;
548
        }
550
        }
Lines 1377-1390 Link Here
1377
    }
1379
    }
1378
1380
1379
    if (ssl_verify_error_is_optional(errnum) &&
1381
    if (ssl_verify_error_is_optional(errnum) &&
1380
        (verify == SSL_CVERIFY_OPTIONAL_NO_CA))
1382
        ((verify == SSL_CVERIFY_OPTIONAL_NO_CA) ||
1383
         (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY)))
1381
    {
1384
    {
1382
        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
1385
        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
1383
                      "Certificate Verification: Verifiable Issuer is "
1386
                      "Certificate Verification: Error (%d) but verifiable "
1384
                      "configured as optional, therefore we're accepting "
1387
                      "Issuer is configured as optional, therefore we're "
1385
                      "the certificate");
1388
                      "accepting the certificate: %s", errnum,
1389
                      X509_verify_cert_error_string(errnum));
1386
1390
1387
        sslconn->verify_info = "GENEROUS";
1391
        sslconn->verify_info = "GENEROUS";
1392
        sslconn->verify_error = X509_verify_cert_error_string(errnum);
1388
        ok = TRUE;
1393
        ok = TRUE;
1389
    }
1394
    }
1390
1395
Lines 1424-1439 Link Here
1424
     * If we already know it's not ok, log the real reason
1429
     * If we already know it's not ok, log the real reason
1425
     */
1430
     */
1426
    if (!ok) {
1431
    if (!ok) {
1427
        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
1432
        if (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY) {
1428
                      "Certificate Verification: Error (%d): %s",
1433
            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
1429
                      errnum, X509_verify_cert_error_string(errnum));
1434
                          "Certificate Verification: Error (%d) but "
1435
                          "verification is configured as optional, therefore "
1436
                          "we're accepting the certificate: %s", errnum,
1437
                          X509_verify_cert_error_string(errnum));
1430
1438
1431
        if (sslconn->client_cert) {
1439
            sslconn->verify_info = "GENEROUS";
1432
            X509_free(sslconn->client_cert);
1440
            if (!sslconn->verify_error) {
1433
            sslconn->client_cert = NULL;
1441
                sslconn->verify_error = X509_verify_cert_error_string(errnum);
1442
            }
1443
            ok = TRUE;
1434
        }
1444
        }
1435
        sslconn->client_dn = NULL;
1445
        else {
1436
        sslconn->verify_error = X509_verify_cert_error_string(errnum);
1446
            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
1447
                          "Certificate Verification: Error (%d): %s",
1448
                          errnum, X509_verify_cert_error_string(errnum));
1449
1450
            if (sslconn->client_cert) {
1451
                X509_free(sslconn->client_cert);
1452
                sslconn->client_cert = NULL;
1453
            }
1454
            sslconn->client_dn = NULL;
1455
            sslconn->verify_error = X509_verify_cert_error_string(errnum);
1456
        }
1437
    }
1457
    }
1438
1458
1439
    /*
1459
    /*
Lines 1447-1462 Link Here
1447
    }
1467
    }
1448
1468
1449
    if (errdepth > depth) {
1469
    if (errdepth > depth) {
1450
        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
1470
        if (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY) {
1451
                      "Certificate Verification: Certificate Chain too long "
1471
            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
1452
                      "(chain has %d certificates, but maximum allowed are "
1472
                          "Certificate Verification: Certificate Chain too long "
1453
                      "only %d)",
1473
                          "(chain has %d certificates, but maximum allowed are "
1454
                      errdepth, depth);
1474
                          "only %d) but verification is configured as optional, "
1475
                          "therefore we're accepting the certificate",
1476
                          errdepth, depth);
1455
1477
1456
        errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;
1478
            sslconn->verify_info = "GENEROUS";
1457
        sslconn->verify_error = X509_verify_cert_error_string(errnum);
1479
            if (!sslconn->verify_error) {
1480
                errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;
1481
                sslconn->verify_error = X509_verify_cert_error_string(errnum);
1482
            }
1483
        }
1484
        else {
1485
            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
1486
                          "Certificate Verification: Certificate Chain too long "
1487
                          "(chain has %d certificates, but maximum allowed are "
1488
                          "only %d)",
1489
                          errdepth, depth);
1458
1490
1459
        ok = FALSE;
1491
            errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;
1492
            sslconn->verify_error = X509_verify_cert_error_string(errnum);
1493
1494
            ok = FALSE;
1495
        }
1460
    }
1496
    }
1461
1497
1462
    /*
1498
    /*
(-)modules/ssl/mod_ssl.c (-2 / +2 lines)
Lines 114-120 Link Here
114
                "('/path/to/file' - PEM encoded)")
114
                "('/path/to/file' - PEM encoded)")
115
    SSL_CMD_ALL(VerifyClient, TAKE1,
115
    SSL_CMD_ALL(VerifyClient, TAKE1,
116
                "SSL Client verify type "
116
                "SSL Client verify type "
117
                "('none', 'optional', 'require', 'optional_no_ca')")
117
                "('none', 'optional_no_verify', 'optional_no_ca', 'optional', 'require')")
118
    SSL_CMD_ALL(VerifyDepth, TAKE1,
118
    SSL_CMD_ALL(VerifyDepth, TAKE1,
119
                "SSL Client verify depth "
119
                "SSL Client verify depth "
120
                "('N' - number of intermediate certificates)")
120
                "('N' - number of intermediate certificates)")
Lines 150-156 Link Here
150
               "('XXX:...:XXX' - see manual)")
150
               "('XXX:...:XXX' - see manual)")
151
    SSL_CMD_SRV(ProxyVerify, TAKE1,
151
    SSL_CMD_SRV(ProxyVerify, TAKE1,
152
               "SSL Proxy: whether to verify the remote certificate "
152
               "SSL Proxy: whether to verify the remote certificate "
153
               "('on' or 'off')")
153
               "('none', 'optional_no_verify', 'optional_no_ca', 'optional', 'require')")
154
    SSL_CMD_SRV(ProxyVerifyDepth, TAKE1,
154
    SSL_CMD_SRV(ProxyVerifyDepth, TAKE1,
155
               "SSL Proxy: maximum certificate verification depth "
155
               "SSL Proxy: maximum certificate verification depth "
156
               "('N' - number of intermediate certificates)")
156
               "('N' - number of intermediate certificates)")

Return to bug 45922