Attachment #25314 for bug #45922

View | Details | Raw Unified | Return to bug 45922
Collapse All | Expand All

Lines 81-87 Link Here

(-)docs/manual/mod/mod_ssl.xml (-54 / +79 lines)
81	<tr><td><code>SSL_CLIENT_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of client's certificate</td></tr>	81	<tr><td><code>SSL_CLIENT_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of client's certificate</td></tr>
82	<tr><td><code>SSL_CLIENT_CERT</code></td> <td>string</td> <td>PEM-encoded client certificate</td></tr>	82	<tr><td><code>SSL_CLIENT_CERT</code></td> <td>string</td> <td>PEM-encoded client certificate</td></tr>
83	<tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td> <td>PEM-encoded certificates in client certificate chain</td></tr>	83	<tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td> <td>PEM-encoded certificates in client certificate chain</td></tr>
84	<tr><td><code>SSL_CLIENT_VERIFY</code></td> <td>string</td> <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS</code> or <code>FAILED:</code><em>reason</em></td></tr>	84	<tr><td><code>SSL_CLIENT_VERIFY</code></td> <td>string</td> <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS:<em>reason</em></code> or <code>FAILED:</code><em>reason</em></td></tr>
85	<tr><td><code>SSL_SERVER_M_VERSION</code></td> <td>string</td> <td>The version of the server certificate</td></tr>	85	<tr><td><code>SSL_SERVER_M_VERSION</code></td> <td>string</td> <td>The version of the server certificate</td></tr>
86	<tr><td><code>SSL_SERVER_M_SERIAL</code></td> <td>string</td> <td>The serial of the server certificate</td></tr>	86	<tr><td><code>SSL_SERVER_M_SERIAL</code></td> <td>string</td> <td>The serial of the server certificate</td></tr>
87	<tr><td><code>SSL_SERVER_S_DN</code></td> <td>string</td> <td>Subject DN in server's certificate</td></tr>	87	<tr><td><code>SSL_SERVER_S_DN</code></td> <td>string</td> <td>Subject DN in server's certificate</td></tr>
Lines 890-895 Link Here
890	specify an <em>all-in-one</em> file containing a concatenation of	890	specify an <em>all-in-one</em> file containing a concatenation of
891	PEM-encoded CA certificates.</p>	891	PEM-encoded CA certificates.</p>
892		892
		893	<p>For testing purposes, any available certificate (signed by any CA)
		894	may be requested by specifying a file containing only a single space
		895	character. However note that while this trick happens to work with
		896	most browsers, the SSL/TLS standards do not define the appropriate
		897	behavior when the set of acceptable CA names is empty, so this is not
		898	guaranteed to work with all browsers.</p>
		899
893	<example><title>Example</title>	900	<example><title>Example</title>
894	SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt	901	SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt
895	</example>	902	</example>
Lines 987-1017 Link Here
987		994
988	<usage>	995	<usage>
989	<p>	996	<p>
990	This directive sets the Certificate verification level for the Client	997	This directive sets the Certificate verification level for Client Certificate
991	Authentication. Notice that this directive can be used both in per-server and	998	Authentication. Notice that this directive can be used both in per-server and
992	per-directory context. In per-server context it applies to the client	999	per-directory context. In per-server context it applies to the client
993	authentication process used in the standard SSL handshake when a connection is	1000	authentication process in the initial SSL handshake when a connection is
994	established. In per-directory context it forces a SSL renegotation with the	1001	established. In per-directory context it forces a SSL renegotation with the
995	reconfigured client verification level after the HTTP request was read but	1002	reconfigured client verification level after the HTTP request is read but
996	before the HTTP response is sent.</p>	1003	before the HTTP response is sent.</p>
997	<p>	1004	<p>
998	The following levels are available for <em>level</em>:</p>	1005	The following levels are available for <em>level</em>:</p>
999	<ul>	1006	<ul>
1000	<li><strong>none</strong>:	1007	<li><code>none</code>
1001	no client Certificate is required at all</li>	1008	<p>No client Certificate is requested.</p></li>
1002	<li><strong>optional</strong>:	1009	<li><code>optional_no_verify</code>
1003	the client <em>may</em> present a valid Certificate</li>	1010	<p>The client is asked to present a Certificate signed by one of the
1004	<li><strong>require</strong>:	1011	acceptable CA Certificates, but will be accepted even if no Certificate is
1005	the client <em>has to</em> present a valid Certificate</li>	1012	provided, if the provided Certificate is not signed by one of the trusted
1006	<li><strong>optional_no_ca</strong>:	1013	CA Certificates, or if the provided Certificate has been revoked or is
1007	the client may present a valid Certificate<br />	1014	otherwise invalid.</p></li>
1008	but it need not to be (successfully) verifiable.</li>	1015	<li><code>optional_no_ca</code>
		1016	<p>The client is asked to present a Certificate signed by one of the
		1017	acceptable CA Certificates, and will be accepted even if no Certificate is
		1018	provided or if the provided Certificate is not signed by one of the
		1019	trusted CA Certificates, but will be disconnected if the provided
		1020	Certificate has been revoked or is otherwise invalid.</p></li>
		1021	<li><code>optional</code>
		1022	<p>The client is asked to present a Certificate signed by one of the
		1023	acceptable CA Certificates, and will be accepted even if no Certificate is
		1024	provided, but will be disconnected if the provided Certificate is not
		1025	signed by one of the trusted CA Certificates, has been revoked, or is
		1026	otherwise invalid.</p></li>
		1027	<li><code>require</code>
		1028	<p>The client is asked to present a Certificate signed by one of the
		1029	acceptable CA Certificates, and will be disconnected if no Certificate is
		1030	provided, if the provided Certificate is not signed by on of the trusted CA
		1031	Certificates, or if the provided Certificate has been revoked or is
		1032	otherwise invalid.</p></li>
1009	</ul>	1033	</ul>
1010	<p>In practice only levels <strong>none</strong> and	1034	<p>In practice, most users will want either <strong>none</strong> or
1011	<strong>require</strong> are really interesting, because level	1035	<strong>require</strong>, as the other levels allow users to bypass the
1012	<strong>optional</strong> doesn't work with all browsers and level	1036	authentication mechanism. However, the other levels may be useful for testing,
1013	<strong>optional_no_ca</strong> is actually against the idea of	1037	or if your web application does it's own Certificate verification.</p>
1014	authentication (but can be used to establish SSL test pages, etc.)</p>	1038	<p>See the <directive module="mod_ssl">SSLCADNRequestFile</directive> and
		1039	<directive module="mod_ssl">SSLCADNRequestPath</directive> directives to
		1040	configure the list of acceptable CA Certificates, and see the
		1041	<directive module="mod_ssl">SSLCACertificateFile</directive> and
		1042	<directive module="mod_ssl">SSLCACertificatePath</directive> directives to
		1043	configure the list of trusted CA Certificates.</p>
		1044	<p>Note that if SSLv2 is used with one of the <strong>optional</strong> levels
		1045	and no Certificate signed by one of the acceptable CA Certificates is available,
		1046	the browser may give up and disconnect rather than continuing without providing
		1047	a Certificate. If SSLv3 or TLS are used, the browser should always either
		1048	provide a Certificate or attempt to continue without a Certificate.</p>
1015	<example><title>Example</title>	1049	<example><title>Example</title>
1016	SSLVerifyClient require	1050	SSLVerifyClient require
1017	</example>	1051	</example>
Lines 1440-1461 Link Here
1440	<syntax>SSLProxyVerify <em>level</em></syntax>	1474	<syntax>SSLProxyVerify <em>level</em></syntax>
1441	<default>SSLProxyVerify none</default>	1475	<default>SSLProxyVerify none</default>
1442	<contextlist><context>server config</context>	1476	<contextlist><context>server config</context>
1443	<context>virtual host</context>	1477	<context>virtual host</context></contextlist>
1444	<context>directory</context>
1445	<context>.htaccess</context></contextlist>
1446	<override>AuthConfig</override>
1447		1478
1448	<usage>	1479	<usage>
1449		1480
1450	<p>When a proxy is configured to forward requests to a remote SSL	1481	<p>When a proxy is configured to forward requests to a remote SSL
1451	server, this directive can be used to configure certificate	1482	server, this directive can be used to configure verification of the
1452	verification of the remote server. Notice that this directive can be	1483	remote server's SSL Certificate.</p>
1453	used both in per-server and per-directory context. In per-server
1454	context it applies to the remote server authentication process used in
1455	the standard SSL handshake when a connection is established by the
1456	proxy. In per-directory context it forces a SSL renegotation with the
1457	reconfigured remote server verification level after the HTTP request
1458	was read but before the HTTP response is sent.</p>
1459		1484
1460	<note type="warning">	1485	<note type="warning">
1461	<p>Note that even when certificate verification is enabled,	1486	<p>Note that even when certificate verification is enabled,
Lines 1477-1497 Link Here
1477	<p>	1502	<p>
1478	The following levels are available for <em>level</em>:</p>	1503	The following levels are available for <em>level</em>:</p>
1479	<ul>	1504	<ul>
1480	<li><strong>none</strong>:	1505	<li><code>none</code>
1481	no remote server Certificate is required at all</li>	1506	<p>No remote server Certificate verification will be performed.</p></li>
1482	<li><strong>optional</strong>:	1507	<li><code>optional_no_verify</code>
1483	the remote server <em>may</em> present a valid Certificate</li>	1508	<p>If the remote server provides a Certificate, it will be verified, but
1484	<li><strong>require</strong>:	1509	the result will be ignored.</p></li>
1485	the remote server <em>has to</em> present a valid Certificate</li>	1510	<li><code>optional_no_ca</code>
1486	<li><strong>optional_no_ca</strong>:	1511	<p>If the remote server provides a Certificate, it will be verified. The
1487	the remote server may present a valid Certificate<br />	1512	connection will be accepted even if the Certificate is not signed by one of
1488	but it need not to be (successfully) verifiable.</li>	1513	the CAs listed in
		1514	<directive module="mod_ssl">SSLProxyCACertificateFile</directive> or
		1515	<directive module="mod_ssl">SSLProxyCACertificatePath</directive>, but will
		1516	be rejected if verification fails for any other reason.</p></li>
		1517	<li><code>optional</code>
		1518	<p>If the remote server provides a Certificate, it will be verified, and the
		1519	connection will be rejected if verification fails.</p></li>
		1520	<li><code>require</code>
		1521	<p>The connection will be rejected unless the remote server provides a
		1522	Certificate and that Certificate is successfully verified.</p></li>
1489	</ul>	1523	</ul>
1490	<p>In practice only levels <strong>none</strong> and	1524	<p>In practice, most users will want either <strong>none</strong> or
1491	<strong>require</strong> are really interesting, because level	1525	<strong>require</strong>, as the other levels allow a remote server to bypass
1492	<strong>optional</strong> doesn't work with all servers and level	1526	the authentication mechanism. However, the other levels may be useful for
1493	<strong>optional_no_ca</strong> is actually against the idea of	1527	testing.</p>
1494	authentication (but can be used to establish SSL test pages, etc.)</p>
1495	<example><title>Example</title>	1528	<example><title>Example</title>
1496	SSLProxyVerify require	1529	SSLProxyVerify require
1497	</example>	1530	</example>
Lines 1505-1524 Link Here
1505	<syntax>SSLProxyVerifyDepth <em>number</em></syntax>	1538	<syntax>SSLProxyVerifyDepth <em>number</em></syntax>
1506	<default>SSLProxyVerifyDepth 1</default>	1539	<default>SSLProxyVerifyDepth 1</default>
1507	<contextlist><context>server config</context>	1540	<contextlist><context>server config</context>
1508	<context>virtual host</context>	1541	<context>virtual host</context></contextlist>
1509	<context>directory</context>
1510	<context>.htaccess</context></contextlist>
1511	<override>AuthConfig</override>
1512		1542
1513	<usage>	1543	<usage>
1514	<p>	1544	<p>
1515	This directive sets how deeply mod_ssl should verify before deciding that the	1545	This directive sets how deeply mod_ssl should verify before deciding that the
1516	remote server does not have a valid certificate. Notice that this directive can be	1546	remote server does not have a valid certificate.</p>
1517	used both in per-server and per-directory context. In per-server context it
1518	applies to the client authentication process used in the standard SSL
1519	handshake when a connection is established. In per-directory context it forces
1520	a SSL renegotation with the reconfigured remote server verification depth after the
1521	HTTP request was read but before the HTTP response is sent.</p>
1522	<p>	1547	<p>
1523	The depth actually is the maximum number of intermediate certificate issuers,	1548	The depth actually is the maximum number of intermediate certificate issuers,
1524	i.e. the number of CA certificates which are max allowed to be followed while	1549	i.e. the number of CA certificates which are max allowed to be followed while

Lines 229-235 Link Here

(-)modules/ssl/ssl_private.h (-1 / +2 lines)
229	SSL_CVERIFY_NONE = 0,	229	SSL_CVERIFY_NONE = 0,
230	SSL_CVERIFY_OPTIONAL = 1,	230	SSL_CVERIFY_OPTIONAL = 1,
231	SSL_CVERIFY_REQUIRE = 2,	231	SSL_CVERIFY_REQUIRE = 2,
232	SSL_CVERIFY_OPTIONAL_NO_CA = 3	232	SSL_CVERIFY_OPTIONAL_NO_CA = 3,
		233	SSL_CVERIFY_OPTIONAL_NO_VERIFY = 4
233	} ssl_verify_t;	234	} ssl_verify_t;
234		235
235	#define SSL_VERIFY_PEER_STRICT \	236	#define SSL_VERIFY_PEER_STRICT \

Lines 534-540 Link Here

(-)modules/ssl/ssl_engine_init.c (-1 / +2 lines)
534	}	534	}
535		535
536	if ((mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL) \|\|	536	if ((mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL) \|\|
537	(mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))	537	(mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) \|\|
		538	(mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY))
538	{	539	{
539	verify \|= SSL_VERIFY_PEER;	540	verify \|= SSL_VERIFY_PEER;
540	}	541	}

Lines 938-943 Link Here

(-)modules/ssl/ssl_engine_config.c (+3 lines)
938	else if (strcEQ(arg, "optional_no_ca")) {	938	else if (strcEQ(arg, "optional_no_ca")) {
939	*id = SSL_CVERIFY_OPTIONAL_NO_CA;	939	*id = SSL_CVERIFY_OPTIONAL_NO_CA;
940	}	940	}
		941	else if (strcEQ(arg, "optional_no_verify")) {
		942	*id = SSL_CVERIFY_OPTIONAL_NO_VERIFY;
		943	}
941	else {	944	else {
942	return apr_pstrcat(parms->temp_pool, parms->cmd->name,	945	return apr_pstrcat(parms->temp_pool, parms->cmd->name,
943	": Invalid argument '", arg, "'",	946	": Invalid argument '", arg, "'",




    if ((verify_result != X509_V_OK) ||
        sslconn->verify_error)
    {
        const char *error = sslconn->verify_error ?
            sslconn->verify_error :
            X509_verify_cert_error_string(verify_result);

        if ((ssl_verify_error_is_optional(verify_result) &&
            sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) ||
            sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY)
        {
            /* leaving this log message as an error for the moment,
             * according to the mod_ssl docs:

             * in 1.x
             */
            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
                          "SSL client authentication failed, accepting "
                          "certificate based on \"SSLVerifyClient "
                          "optional_no_ca\" or \"SSLVerifyClient "
                          "optional_no_verify\" configuration: %s",
                          error ? error : "unknown");
            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server);
        }
        else {
            const char *error = sslconn->verify_error ?
                sslconn->verify_error :
                X509_verify_cert_error_string(verify_result);

            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
                         "SSL client authentication failed: %s",
                         error ? error : "unknown");

Lines 611-619 Link Here

(-)modules/ssl/ssl_engine_vars.c (-2 / +5 lines)
611	else if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs != NULL)	611	else if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs != NULL)
612	/* client verification done successful */	612	/* client verification done successful */
613	result = "SUCCESS";	613	result = "SUCCESS";
614	else if (vrc == X509_V_OK && vinfo != NULL && strEQ(vinfo, "GENEROUS"))	614	else if (vinfo != NULL && strEQ(vinfo, "GENEROUS"))
615	/* client verification done in generous way */	615	/* client verification done in generous way */
616	result = "GENEROUS";	616	if (verr)
		617	result = apr_psprintf(p, "GENEROUS:%s", verr);
		618	else
		619	result = "GENEROUS";
617	else	620	else
618	/* client verification failed */	621	/* client verification failed */
619	result = apr_psprintf(p, "FAILED:%s", verr);	622	result = apr_psprintf(p, "FAILED:%s", verr);




     * We force a renegotiation if the reconfigured/new verify type is
     * stronger than the currently active verify type.
     *
     * The order is: none << optional_no_verify << optional_no_ca << optional << require
     *
     * Additionally the following optimization is possible here: When the
     * currently active verify type is "none" but a client certificate is


        if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||
            (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) ||
            (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_VERIFY) ||
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) ||
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY))
        {
            verify |= SSL_VERIFY_PEER;
        }

    }

    if (ssl_verify_error_is_optional(errnum) &&
        ((verify == SSL_CVERIFY_OPTIONAL_NO_CA) ||
         (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY)))
    {
        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
                      "Certificate Verification: Error (%d) but verifiable "
                      "Issuer is configured as optional, therefore we're "
                      "accepting the certificate: %s", errnum,
                      X509_verify_cert_error_string(errnum));

        sslconn->verify_info = "GENEROUS";
        sslconn->verify_error = X509_verify_cert_error_string(errnum);
        ok = TRUE;
    }


     * If we already know it's not ok, log the real reason
     */
    if (!ok) {
        if (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY) {
            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
                          "Certificate Verification: Error (%d) but "
                          "verification is configured as optional, therefore "
                          "we're accepting the certificate: %s", errnum,
                          X509_verify_cert_error_string(errnum));

            sslconn->verify_info = "GENEROUS";
            if (!sslconn->verify_error) {
                sslconn->verify_error = X509_verify_cert_error_string(errnum);
            }
            ok = TRUE;
        }
        else {
            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
                          "Certificate Verification: Error (%d): %s",
                          errnum, X509_verify_cert_error_string(errnum));

            if (sslconn->client_cert) {
                X509_free(sslconn->client_cert);
                sslconn->client_cert = NULL;
            }
            sslconn->client_dn = NULL;
            sslconn->verify_error = X509_verify_cert_error_string(errnum);
        }
    }

    /*

    }

    if (errdepth > depth) {
        if (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY) {
            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
                          "Certificate Verification: Certificate Chain too long "
                          "(chain has %d certificates, but maximum allowed are "
                          "only %d) but verification is configured as optional, "
                          "therefore we're accepting the certificate",
                          errdepth, depth);

            sslconn->verify_info = "GENEROUS";
            if (!sslconn->verify_error) {
                errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;
                sslconn->verify_error = X509_verify_cert_error_string(errnum);
            }
        }
        else {
            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
                          "Certificate Verification: Certificate Chain too long "
                          "(chain has %d certificates, but maximum allowed are "
                          "only %d)",
                          errdepth, depth);

            errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;
            sslconn->verify_error = X509_verify_cert_error_string(errnum);

            ok = FALSE;
        }
    }

    /*

Return to bug 45922

Lines 1169-1176 Link Here

(-)modules/ssl/ssl_engine_io.c (-10 / +12 lines)
1169	if ((verify_result != X509_V_OK) \|\|	1169	if ((verify_result != X509_V_OK) \|\|
1170	sslconn->verify_error)	1170	sslconn->verify_error)
1171	{	1171	{
1172	if (ssl_verify_error_is_optional(verify_result) &&	1172	const char *error = sslconn->verify_error ?
1173	(sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))	1173	sslconn->verify_error :
		1174	X509_verify_cert_error_string(verify_result);
		1175
		1176	if ((ssl_verify_error_is_optional(verify_result) &&
		1177	sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) \|\|
		1178	sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY)
1174	{	1179	{
1175	/* leaving this log message as an error for the moment,	1180	/* leaving this log message as an error for the moment,
1176	* according to the mod_ssl docs:	1181	* according to the mod_ssl docs:
Lines 1181-1197 Link Here
1181	* in 1.x	1186	* in 1.x
1182	*/	1187	*/
1183	ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,	1188	ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
1184	"SSL client authentication failed, "	1189	"SSL client authentication failed, accepting "
1185	"accepting certificate based on "	1190	"certificate based on \"SSLVerifyClient "
1186	"\"SSLVerifyClient optional_no_ca\" "	1191	"optional_no_ca\" or \"SSLVerifyClient "
1187	"configuration");	1192	"optional_no_verify\" configuration: %s",
		1193	error ? error : "unknown");
1188	ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server);	1194	ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server);
1189	}	1195	}
1190	else {	1196	else {
1191	const char *error = sslconn->verify_error ?
1192	sslconn->verify_error :
1193	X509_verify_cert_error_string(verify_result);
1194
1195	ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,	1197	ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
1196	"SSL client authentication failed: %s",	1198	"SSL client authentication failed: %s",
1197	error ? error : "unknown");	1199	error ? error : "unknown");

Lines 454-460 Link Here

(-)modules/ssl/ssl_engine_kernel.c (-22 / +58 lines)
454	* We force a renegotiation if the reconfigured/new verify type is	454	* We force a renegotiation if the reconfigured/new verify type is
455	* stronger than the currently active verify type.	455	* stronger than the currently active verify type.
456	*	456	*
457	* The order is: none << optional_no_ca << optional << require	457	* The order is: none << optional_no_verify << optional_no_ca << optional << require
458	*	458	*
459	* Additionally the following optimization is possible here: When the	459	* Additionally the following optimization is possible here: When the
460	* currently active verify type is "none" but a client certificate is	460	* currently active verify type is "none" but a client certificate is
Lines 476-483 Link Here
476		476
477	if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) \|\|	477	if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) \|\|
478	(dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) \|\|	478	(dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) \|\|
		479	(dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_VERIFY) \|\|
479	(sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) \|\|	480	(sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) \|\|
480	(sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))	481	(sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) \|\|
		482	(sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY))
481	{	483	{
482	verify \|= SSL_VERIFY_PEER;	484	verify \|= SSL_VERIFY_PEER;
483	}	485	}
Lines 1354-1367 Link Here
1354	}	1356	}
1355		1357
1356	if (ssl_verify_error_is_optional(errnum) &&	1358	if (ssl_verify_error_is_optional(errnum) &&
1357	(verify == SSL_CVERIFY_OPTIONAL_NO_CA))	1359	((verify == SSL_CVERIFY_OPTIONAL_NO_CA) \|\|
		1360	(verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY)))
1358	{	1361	{
1359	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,	1362	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
1360	"Certificate Verification: Verifiable Issuer is "	1363	"Certificate Verification: Error (%d) but verifiable "
1361	"configured as optional, therefore we're accepting "	1364	"Issuer is configured as optional, therefore we're "
1362	"the certificate");	1365	"accepting the certificate: %s", errnum,
		1366	X509_verify_cert_error_string(errnum));
1363		1367
1364	sslconn->verify_info = "GENEROUS";	1368	sslconn->verify_info = "GENEROUS";
		1369	sslconn->verify_error = X509_verify_cert_error_string(errnum);
1365	ok = TRUE;	1370	ok = TRUE;
1366	}	1371	}
1367		1372
Lines 1378-1393 Link Here
1378	* If we already know it's not ok, log the real reason	1383	* If we already know it's not ok, log the real reason
1379	*/	1384	*/
1380	if (!ok) {	1385	if (!ok) {
1381	ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,	1386	if (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY) {
1382	"Certificate Verification: Error (%d): %s",	1387	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
1383	errnum, X509_verify_cert_error_string(errnum));	1388	"Certificate Verification: Error (%d) but "
		1389	"verification is configured as optional, therefore "
		1390	"we're accepting the certificate: %s", errnum,
		1391	X509_verify_cert_error_string(errnum));
1384		1392
1385	if (sslconn->client_cert) {	1393	sslconn->verify_info = "GENEROUS";
1386	X509_free(sslconn->client_cert);	1394	if (!sslconn->verify_error) {
1387	sslconn->client_cert = NULL;	1395	sslconn->verify_error = X509_verify_cert_error_string(errnum);
		1396	}
		1397	ok = TRUE;
1388	}	1398	}
1389	sslconn->client_dn = NULL;	1399	else {
1390	sslconn->verify_error = X509_verify_cert_error_string(errnum);	1400	ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
		1401	"Certificate Verification: Error (%d): %s",
		1402	errnum, X509_verify_cert_error_string(errnum));
		1403
		1404	if (sslconn->client_cert) {
		1405	X509_free(sslconn->client_cert);
		1406	sslconn->client_cert = NULL;
		1407	}
		1408	sslconn->client_dn = NULL;
		1409	sslconn->verify_error = X509_verify_cert_error_string(errnum);
		1410	}
1391	}	1411	}
1392		1412
1393	/*	1413	/*
Lines 1401-1416 Link Here
1401	}	1421	}
1402		1422
1403	if (errdepth > depth) {	1423	if (errdepth > depth) {
1404	ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,	1424	if (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY) {
1405	"Certificate Verification: Certificate Chain too long "	1425	ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
1406	"(chain has %d certificates, but maximum allowed are "	1426	"Certificate Verification: Certificate Chain too long "
1407	"only %d)",	1427	"(chain has %d certificates, but maximum allowed are "
1408	errdepth, depth);	1428	"only %d) but verification is configured as optional, "
		1429	"therefore we're accepting the certificate",
		1430	errdepth, depth);
1409		1431
1410	errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;	1432	sslconn->verify_info = "GENEROUS";
1411	sslconn->verify_error = X509_verify_cert_error_string(errnum);	1433	if (!sslconn->verify_error) {
		1434	errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;
		1435	sslconn->verify_error = X509_verify_cert_error_string(errnum);
		1436	}
		1437	}
		1438	else {
		1439	ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
		1440	"Certificate Verification: Certificate Chain too long "
		1441	"(chain has %d certificates, but maximum allowed are "
		1442	"only %d)",
		1443	errdepth, depth);
1412		1444
1413	ok = FALSE;	1445	errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;
		1446	sslconn->verify_error = X509_verify_cert_error_string(errnum);
		1447
		1448	ok = FALSE;
		1449	}
1414	}	1450	}
1415		1451
1416	/*	1452	/*

Lines 131-137 Link Here

(-)modules/ssl/mod_ssl.c (-2 / +2 lines)
131	"(`/path/to/file' - PEM encoded)")	131	"(`/path/to/file' - PEM encoded)")
132	SSL_CMD_ALL(VerifyClient, TAKE1,	132	SSL_CMD_ALL(VerifyClient, TAKE1,
133	"SSL Client verify type "	133	"SSL Client verify type "
134	"(`none', `optional', `require', `optional_no_ca')")	134	"(`none', `optional_no_verify', `optional_no_ca', `optional', `require')")
135	SSL_CMD_ALL(VerifyDepth, TAKE1,	135	SSL_CMD_ALL(VerifyDepth, TAKE1,
136	"SSL Client verify depth "	136	"SSL Client verify depth "
137	"(`N' - number of intermediate certificates)")	137	"(`N' - number of intermediate certificates)")
Lines 164-170 Link Here
164	"(`XXX:...:XXX' - see manual)")	164	"(`XXX:...:XXX' - see manual)")
165	SSL_CMD_SRV(ProxyVerify, TAKE1,	165	SSL_CMD_SRV(ProxyVerify, TAKE1,
166	"SSL Proxy: whether to verify the remote certificate "	166	"SSL Proxy: whether to verify the remote certificate "
167	"(`on' or `off')")	167	"(`none', `optional_no_verify', `optional_no_ca', `optional', `require')")
168	SSL_CMD_SRV(ProxyVerifyDepth, TAKE1,	168	SSL_CMD_SRV(ProxyVerifyDepth, TAKE1,
169	"SSL Proxy: maximum certificate verification depth "	169	"SSL Proxy: maximum certificate verification depth "
170	"(`N' - number of intermediate certificates)")	170	"(`N' - number of intermediate certificates)")