View | Details | Raw Unified | Return to bug 45922
Collapse All | Expand All

(-)docs/manual/mod/mod_ssl.xml (-56 / +79 lines)
Lines 83-89 Link Here
83
<tr><td><code>SSL_CLIENT_A_KEY</code></td>              <td>string</td>    <td>Algorithm used for the public key of client's certificate</td></tr>
83
<tr><td><code>SSL_CLIENT_A_KEY</code></td>              <td>string</td>    <td>Algorithm used for the public key of client's certificate</td></tr>
84
<tr><td><code>SSL_CLIENT_CERT</code></td>               <td>string</td>    <td>PEM-encoded client certificate</td></tr>
84
<tr><td><code>SSL_CLIENT_CERT</code></td>               <td>string</td>    <td>PEM-encoded client certificate</td></tr>
85
<tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td>    <td>PEM-encoded certificates in client certificate chain</td></tr>
85
<tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td>    <td>PEM-encoded certificates in client certificate chain</td></tr>
86
<tr><td><code>SSL_CLIENT_VERIFY</code></td>             <td>string</td>    <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS</code> or <code>FAILED:</code><em>reason</em></td></tr>
86
<tr><td><code>SSL_CLIENT_VERIFY</code></td>             <td>string</td>    <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS:<em>reason</em></code> or <code>FAILED:</code><em>reason</em></td></tr>
87
<tr><td><code>SSL_SERVER_M_VERSION</code></td>          <td>string</td>    <td>The version of the server certificate</td></tr>
87
<tr><td><code>SSL_SERVER_M_VERSION</code></td>          <td>string</td>    <td>The version of the server certificate</td></tr>
88
<tr><td><code>SSL_SERVER_M_SERIAL</code></td>           <td>string</td>    <td>The serial of the server certificate</td></tr>
88
<tr><td><code>SSL_SERVER_M_SERIAL</code></td>           <td>string</td>    <td>The serial of the server certificate</td></tr>
89
<tr><td><code>SSL_SERVER_S_DN</code></td>               <td>string</td>    <td>Subject DN in server's certificate</td></tr>
89
<tr><td><code>SSL_SERVER_S_DN</code></td>               <td>string</td>    <td>Subject DN in server's certificate</td></tr>
Lines 898-903 Link Here
898
specify an <em>all-in-one</em> file containing a concatenation of
898
specify an <em>all-in-one</em> file containing a concatenation of
899
PEM-encoded CA certificates.</p>
899
PEM-encoded CA certificates.</p>
900
900
901
<p>For testing purposes, any available certificate (signed by any CA)
902
may be requested by specifying a file containing only a single space
903
character. However note that while this trick happens to work with
904
most browsers, the SSL/TLS standards do not define the appropriate
905
behavior when the set of acceptable CA names is empty, so this is not
906
guaranteed to work with all browsers.</p>
907
901
<example><title>Example</title>
908
<example><title>Example</title>
902
SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt
909
SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt
903
</example>
910
</example>
Lines 995-1025 Link Here
995
1002
996
<usage>
1003
<usage>
997
<p>
1004
<p>
998
This directive sets the Certificate verification level for the Client
1005
This directive sets the Certificate verification level for Client Certificate
999
Authentication. Notice that this directive can be used both in per-server and
1006
Authentication. Notice that this directive can be used both in per-server and
1000
per-directory context. In per-server context it applies to the client
1007
per-directory context. In per-server context it applies to the client
1001
authentication process used in the standard SSL handshake when a connection is
1008
authentication process in the initial SSL handshake when a connection is
1002
established. In per-directory context it forces a SSL renegotation with the
1009
established. In per-directory context it forces a SSL renegotation with the
1003
reconfigured client verification level after the HTTP request was read but
1010
reconfigured client verification level after the HTTP request is read but
1004
before the HTTP response is sent.</p>
1011
before the HTTP response is sent.</p>
1005
<p>
1012
<p>
1006
The following levels are available for <em>level</em>:</p>
1013
The following levels are available for <em>level</em>:</p>
1007
<ul>
1014
<ul>
1008
<li><strong>none</strong>:
1015
<li><code>none</code>
1009
     no client Certificate is required at all</li>
1016
    <p>No client Certificate is requested.</p></li>
1010
<li><strong>optional</strong>:
1017
<li><code>optional_no_verify</code>
1011
     the client <em>may</em> present a valid Certificate</li>
1018
    <p>The client is asked to present a Certificate signed by one of the
1012
<li><strong>require</strong>:
1019
    acceptable CA Certificates, but will be accepted even if no Certificate is
1013
     the client <em>has to</em> present a valid Certificate</li>
1020
    provided, if the provided Certificate is not signed by one of the trusted
1014
<li><strong>optional_no_ca</strong>:
1021
    CA Certificates, or if the provided Certificate has been revoked or is
1015
     the client may present a valid Certificate<br />
1022
    otherwise invalid.</p></li>
1016
     but it need not to be (successfully) verifiable.</li>
1023
<li><code>optional_no_ca</code>
1024
    <p>The client is asked to present a Certificate signed by one of the
1025
    acceptable CA Certificates, and will be accepted even if no Certificate is
1026
    provided or if the provided Certificate is not signed by one of the
1027
    trusted CA Certificates, but will be disconnected if the provided
1028
    Certificate has been revoked or is otherwise invalid.</p></li>
1029
<li><code>optional</code>
1030
    <p>The client is asked to present a Certificate signed by one of the
1031
    acceptable CA Certificates, and will be accepted even if no Certificate is
1032
    provided, but will be disconnected if the provided Certificate is not
1033
    signed by one of the trusted CA Certificates, has been revoked, or is
1034
    otherwise invalid.</p></li>
1035
<li><code>require</code>
1036
    <p>The client is asked to present a Certificate signed by one of the
1037
    acceptable CA Certificates, and will be disconnected if no Certificate is
1038
    provided, if the provided Certificate is not signed by on of the trusted CA
1039
    Certificates, or if the provided Certificate has been revoked or is
1040
    otherwise invalid.</p></li>
1017
</ul>
1041
</ul>
1018
<p>In practice only levels <strong>none</strong> and
1042
<p>In practice, most users will want either <strong>none</strong> or
1019
<strong>require</strong> are really interesting, because level
1043
<strong>require</strong>, as the other levels allow users to bypass the
1020
<strong>optional</strong> doesn't work with all browsers and level
1044
authentication mechanism.  However, the other levels may be useful for testing,
1021
<strong>optional_no_ca</strong> is actually against the idea of
1045
or if your web application does it's own Certificate verification.</p>
1022
authentication (but can be used to establish SSL test pages, etc.)</p>
1046
<p>See the <directive module="mod_ssl">SSLCADNRequestFile</directive> and
1047
<directive module="mod_ssl">SSLCADNRequestPath</directive> directives to
1048
configure the list of acceptable CA Certificates, and see the
1049
<directive module="mod_ssl">SSLCACertificateFile</directive> and
1050
<directive module="mod_ssl">SSLCACertificatePath</directive> directives to
1051
configure the list of trusted CA Certificates.</p>
1052
<p>Note that if SSLv2 is used with one of the <strong>optional</strong> levels
1053
and no Certificate signed by one of the acceptable CA Certificates is available,
1054
the browser may give up and disconnect rather than continuing without providing
1055
a Certificate. If SSLv3 or TLS are used, the browser should always either
1056
provide a Certificate or attempt to continue without a Certificate.</p>
1023
<example><title>Example</title>
1057
<example><title>Example</title>
1024
SSLVerifyClient require
1058
SSLVerifyClient require
1025
</example>
1059
</example>
Lines 1418-1458 Link Here
1418
<syntax>SSLProxyVerify <em>level</em></syntax>
1452
<syntax>SSLProxyVerify <em>level</em></syntax>
1419
<default>SSLProxyVerify none</default>
1453
<default>SSLProxyVerify none</default>
1420
<contextlist><context>server config</context>
1454
<contextlist><context>server config</context>
1421
<context>virtual host</context>
1455
<context>virtual host</context></contextlist>
1422
<context>directory</context>
1423
<context>.htaccess</context></contextlist>
1424
<override>AuthConfig</override>
1425
1456
1426
<usage>
1457
<usage>
1427
1428
<p>When a proxy is configured to forward requests to a remote SSL
1458
<p>When a proxy is configured to forward requests to a remote SSL
1429
server, this directive can be used to configure certificate
1459
server, this directive can be used to configure verification of the
1430
verification of the remote server.  Notice that this directive can be
1460
remote server's SSL Certificate.</p>
1431
used both in per-server and per-directory context. In per-server
1432
context it applies to the remote server authentication process used in
1433
the standard SSL handshake when a connection is established by the
1434
proxy. In per-directory context it forces a SSL renegotation with the
1435
reconfigured remote server verification level after the HTTP request
1436
was read but before the HTTP response is sent.</p>
1437
1438
<p>
1461
<p>
1439
The following levels are available for <em>level</em>:</p>
1462
The following levels are available for <em>level</em>:</p>
1440
<ul>
1463
<ul>
1441
<li><strong>none</strong>:
1464
<li><code>none</code>
1442
     no remote server Certificate is required at all</li>
1465
    <p>No remote server Certificate verification will be performed.</p></li>
1443
<li><strong>optional</strong>:
1466
<li><code>optional_no_verify</code>
1444
     the remote server <em>may</em> present a valid Certificate</li>
1467
    <p>If the remote server provides a Certificate, it will be verified, but
1445
<li><strong>require</strong>:
1468
    the result will be ignored.</p></li>
1446
     the remote server <em>has to</em> present a valid Certificate</li>
1469
<li><code>optional_no_ca</code>
1447
<li><strong>optional_no_ca</strong>:
1470
    <p>If the remote server provides a Certificate, it will be verified. The
1448
     the remote server may present a valid Certificate<br />
1471
    connection will be accepted even if the Certificate is not signed by one of
1449
     but it need not to be (successfully) verifiable.</li>
1472
    the CAs listed in
1473
    <directive module="mod_ssl">SSLProxyCACertificateFile</directive> or
1474
    <directive module="mod_ssl">SSLProxyCACertificatePath</directive>, but will
1475
    be rejected if verification fails for any other reason.</p></li>
1476
<li><code>optional</code>
1477
    <p>If the remote server provides a Certificate, it will be verified, and the
1478
    connection will be rejected if verification fails.</p></li>
1479
<li><code>require</code>
1480
    <p>The connection will be rejected unless the remote server provides a
1481
    Certificate and that Certificate is successfully verified.</p></li>
1450
</ul>
1482
</ul>
1451
<p>In practice only levels <strong>none</strong> and
1483
<p>In practice, most users will want either <strong>none</strong> or
1452
<strong>require</strong> are really interesting, because level
1484
<strong>require</strong>, as the other levels allow a remote server to bypass
1453
<strong>optional</strong> doesn't work with all servers and level
1485
the authentication mechanism.  However, the other levels may be useful for
1454
<strong>optional_no_ca</strong> is actually against the idea of
1486
testing.</p>
1455
authentication (but can be used to establish SSL test pages, etc.)</p>
1456
<example><title>Example</title>
1487
<example><title>Example</title>
1457
SSLProxyVerify require
1488
SSLProxyVerify require
1458
</example>
1489
</example>
Lines 1466-1485 Link Here
1466
<syntax>SSLProxyVerifyDepth <em>number</em></syntax>
1497
<syntax>SSLProxyVerifyDepth <em>number</em></syntax>
1467
<default>SSLProxyVerifyDepth 1</default>
1498
<default>SSLProxyVerifyDepth 1</default>
1468
<contextlist><context>server config</context>
1499
<contextlist><context>server config</context>
1469
<context>virtual host</context>
1500
<context>virtual host</context></contextlist>
1470
<context>directory</context>
1471
<context>.htaccess</context></contextlist>
1472
<override>AuthConfig</override>
1473
1501
1474
<usage>
1502
<usage>
1475
<p>
1503
<p>
1476
This directive sets how deeply mod_ssl should verify before deciding that the
1504
This directive sets how deeply mod_ssl should verify before deciding that the
1477
remote server does not have a valid certificate. Notice that this directive can be
1505
remote server does not have a valid certificate.</p>
1478
used both in per-server and per-directory context. In per-server context it
1479
applies to the client authentication process used in the standard SSL
1480
handshake when a connection is established. In per-directory context it forces
1481
a SSL renegotation with the reconfigured remote server verification depth after the
1482
HTTP request was read but before the HTTP response is sent.</p>
1483
<p>
1506
<p>
1484
The depth actually is the maximum number of intermediate certificate issuers,
1507
The depth actually is the maximum number of intermediate certificate issuers,
1485
i.e. the number of CA certificates which are max allowed to be followed while
1508
i.e. the number of CA certificates which are max allowed to be followed while
(-)modules/ssl/ssl_private.h (-1 / +2 lines)
Lines 221-227 Link Here
221
    SSL_CVERIFY_NONE            = 0,
221
    SSL_CVERIFY_NONE            = 0,
222
    SSL_CVERIFY_OPTIONAL        = 1,
222
    SSL_CVERIFY_OPTIONAL        = 1,
223
    SSL_CVERIFY_REQUIRE         = 2,
223
    SSL_CVERIFY_REQUIRE         = 2,
224
    SSL_CVERIFY_OPTIONAL_NO_CA  = 3
224
    SSL_CVERIFY_OPTIONAL_NO_CA  = 3,
225
    SSL_CVERIFY_OPTIONAL_NO_VERIFY = 4
225
} ssl_verify_t;
226
} ssl_verify_t;
226
227
227
#define SSL_VERIFY_PEER_STRICT \
228
#define SSL_VERIFY_PEER_STRICT \
(-)modules/ssl/ssl_engine_init.c (-1 / +2 lines)
Lines 610-616 Link Here
610
    }
610
    }
611
611
612
    if ((mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
612
    if ((mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
613
        (mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
613
        (mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) ||
614
        (mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY))
614
    {
615
    {
615
        verify |= SSL_VERIFY_PEER;
616
        verify |= SSL_VERIFY_PEER;
616
    }
617
    }
(-)modules/ssl/ssl_engine_config.c (+3 lines)
Lines 914-919 Link Here
914
    else if (strcEQ(arg, "optional_no_ca")) {
914
    else if (strcEQ(arg, "optional_no_ca")) {
915
        *id = SSL_CVERIFY_OPTIONAL_NO_CA;
915
        *id = SSL_CVERIFY_OPTIONAL_NO_CA;
916
    }
916
    }
917
    else if (strcEQ(arg, "optional_no_verify")) {
918
        *id = SSL_CVERIFY_OPTIONAL_NO_VERIFY;
919
    }
917
    else {
920
    else {
918
        return apr_pstrcat(parms->temp_pool, parms->cmd->name,
921
        return apr_pstrcat(parms->temp_pool, parms->cmd->name,
919
                           ": Invalid argument '", arg, "'",
922
                           ": Invalid argument '", arg, "'",
(-)modules/ssl/ssl_engine_io.c (-10 / +12 lines)
Lines 1202-1209 Link Here
1202
    if ((verify_result != X509_V_OK) ||
1202
    if ((verify_result != X509_V_OK) ||
1203
        sslconn->verify_error)
1203
        sslconn->verify_error)
1204
    {
1204
    {
1205
        if (ssl_verify_error_is_optional(verify_result) &&
1205
        const char *error = sslconn->verify_error ?
1206
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
1206
            sslconn->verify_error :
1207
            X509_verify_cert_error_string(verify_result);
1208
1209
        if ((ssl_verify_error_is_optional(verify_result) &&
1210
            sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) ||
1211
            sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY)
1207
        {
1212
        {
1208
            /* leaving this log message as an error for the moment,
1213
            /* leaving this log message as an error for the moment,
1209
             * according to the mod_ssl docs:
1214
             * according to the mod_ssl docs:
Lines 1214-1230 Link Here
1214
             * in 1.x
1219
             * in 1.x
1215
             */
1220
             */
1216
            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
1221
            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
1217
                          "SSL client authentication failed, "
1222
                          "SSL client authentication failed, accepting "
1218
                          "accepting certificate based on "
1223
                          "certificate based on \"SSLVerifyClient "
1219
                          "\"SSLVerifyClient optional_no_ca\" "
1224
                          "optional_no_ca\" or \"SSLVerifyClient "
1220
                          "configuration");
1225
                          "optional_no_verify\" configuration: %s",
1226
                          error ? error : "unknown");
1221
            ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, server);
1227
            ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, server);
1222
        }
1228
        }
1223
        else {
1229
        else {
1224
            const char *error = sslconn->verify_error ?
1225
                sslconn->verify_error :
1226
                X509_verify_cert_error_string(verify_result);
1227
1228
            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
1230
            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
1229
                         "SSL client authentication failed: %s",
1231
                         "SSL client authentication failed: %s",
1230
                         error ? error : "unknown");
1232
                         error ? error : "unknown");
(-)modules/ssl/ssl_engine_vars.c (-2 / +5 lines)
Lines 617-625 Link Here
617
    else if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs != NULL)
617
    else if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs != NULL)
618
        /* client verification done successful */
618
        /* client verification done successful */
619
        result = "SUCCESS";
619
        result = "SUCCESS";
620
    else if (vrc == X509_V_OK && vinfo != NULL && strEQ(vinfo, "GENEROUS"))
620
    else if (vinfo != NULL && strEQ(vinfo, "GENEROUS"))
621
        /* client verification done in generous way */
621
        /* client verification done in generous way */
622
        result = "GENEROUS";
622
        if (verr)
623
            result = apr_psprintf(p, "GENEROUS:%s", verr);
624
        else
625
            result = "GENEROUS";
623
    else
626
    else
624
        /* client verification failed */
627
        /* client verification failed */
625
        result = apr_psprintf(p, "FAILED:%s", verr);
628
        result = apr_psprintf(p, "FAILED:%s", verr);
(-)modules/ssl/ssl_engine_kernel.c (-22 / +58 lines)
Lines 519-525 Link Here
519
     * We force a renegotiation if the reconfigured/new verify type is
519
     * We force a renegotiation if the reconfigured/new verify type is
520
     * stronger than the currently active verify type.
520
     * stronger than the currently active verify type.
521
     *
521
     *
522
     * The order is: none << optional_no_ca << optional << require
522
     * The order is: none << optional_no_verify << optional_no_ca << optional << require
523
     *
523
     *
524
     * Additionally the following optimization is possible here: When the
524
     * Additionally the following optimization is possible here: When the
525
     * currently active verify type is "none" but a client certificate is
525
     * currently active verify type is "none" but a client certificate is
Lines 541-548 Link Here
541
541
542
        if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||
542
        if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||
543
            (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) ||
543
            (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) ||
544
            (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_VERIFY) ||
544
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
545
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
545
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
546
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) ||
547
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY))
546
        {
548
        {
547
            verify |= SSL_VERIFY_PEER;
549
            verify |= SSL_VERIFY_PEER;
548
        }
550
        }
Lines 1377-1390 Link Here
1377
    }
1379
    }
1378
1380
1379
    if (ssl_verify_error_is_optional(errnum) &&
1381
    if (ssl_verify_error_is_optional(errnum) &&
1380
        (verify == SSL_CVERIFY_OPTIONAL_NO_CA))
1382
        ((verify == SSL_CVERIFY_OPTIONAL_NO_CA) ||
1383
         (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY)))
1381
    {
1384
    {
1382
        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
1385
        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
1383
                      "Certificate Verification: Verifiable Issuer is "
1386
                      "Certificate Verification: Error (%d) but verifiable "
1384
                      "configured as optional, therefore we're accepting "
1387
                      "Issuer is configured as optional, therefore we're "
1385
                      "the certificate");
1388
                      "accepting the certificate: %s", errnum,
1389
                      X509_verify_cert_error_string(errnum));
1386
1390
1387
        sslconn->verify_info = "GENEROUS";
1391
        sslconn->verify_info = "GENEROUS";
1392
        sslconn->verify_error = X509_verify_cert_error_string(errnum);
1388
        ok = TRUE;
1393
        ok = TRUE;
1389
    }
1394
    }
1390
1395
Lines 1424-1439 Link Here
1424
     * If we already know it's not ok, log the real reason
1429
     * If we already know it's not ok, log the real reason
1425
     */
1430
     */
1426
    if (!ok) {
1431
    if (!ok) {
1427
        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
1432
        if (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY) {
1428
                      "Certificate Verification: Error (%d): %s",
1433
            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
1429
                      errnum, X509_verify_cert_error_string(errnum));
1434
                          "Certificate Verification: Error (%d) but "
1435
                          "verification is configured as optional, therefore "
1436
                          "we're accepting the certificate: %s", errnum,
1437
                          X509_verify_cert_error_string(errnum));
1430
1438
1431
        if (sslconn->client_cert) {
1439
            sslconn->verify_info = "GENEROUS";
1432
            X509_free(sslconn->client_cert);
1440
            if (!sslconn->verify_error) {
1433
            sslconn->client_cert = NULL;
1441
                sslconn->verify_error = X509_verify_cert_error_string(errnum);
1442
            }
1443
            ok = TRUE;
1434
        }
1444
        }
1435
        sslconn->client_dn = NULL;
1445
        else {
1436
        sslconn->verify_error = X509_verify_cert_error_string(errnum);
1446
            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
1447
                          "Certificate Verification: Error (%d): %s",
1448
                          errnum, X509_verify_cert_error_string(errnum));
1449
1450
            if (sslconn->client_cert) {
1451
                X509_free(sslconn->client_cert);
1452
                sslconn->client_cert = NULL;
1453
            }
1454
            sslconn->client_dn = NULL;
1455
            sslconn->verify_error = X509_verify_cert_error_string(errnum);
1456
        }
1437
    }
1457
    }
1438
1458
1439
    /*
1459
    /*
Lines 1447-1462 Link Here
1447
    }
1467
    }
1448
1468
1449
    if (errdepth > depth) {
1469
    if (errdepth > depth) {
1450
        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
1470
        if (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY) {
1451
                      "Certificate Verification: Certificate Chain too long "
1471
            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
1452
                      "(chain has %d certificates, but maximum allowed are "
1472
                          "Certificate Verification: Certificate Chain too long "
1453
                      "only %d)",
1473
                          "(chain has %d certificates, but maximum allowed are "
1454
                      errdepth, depth);
1474
                          "only %d) but verification is configured as optional, "
1475
                          "therefore we're accepting the certificate",
1476
                          errdepth, depth);
1455
1477
1456
        errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;
1478
            sslconn->verify_info = "GENEROUS";
1457
        sslconn->verify_error = X509_verify_cert_error_string(errnum);
1479
            if (!sslconn->verify_error) {
1480
                errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;
1481
                sslconn->verify_error = X509_verify_cert_error_string(errnum);
1482
            }
1483
        }
1484
        else {
1485
            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
1486
                          "Certificate Verification: Certificate Chain too long "
1487
                          "(chain has %d certificates, but maximum allowed are "
1488
                          "only %d)",
1489
                          errdepth, depth);
1458
1490
1459
        ok = FALSE;
1491
            errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;
1492
            sslconn->verify_error = X509_verify_cert_error_string(errnum);
1493
1494
            ok = FALSE;
1495
        }
1460
    }
1496
    }
1461
1497
1462
    /*
1498
    /*
(-)modules/ssl/mod_ssl.c (-2 / +2 lines)
Lines 114-120 Link Here
114
                "('/path/to/file' - PEM encoded)")
114
                "('/path/to/file' - PEM encoded)")
115
    SSL_CMD_ALL(VerifyClient, TAKE1,
115
    SSL_CMD_ALL(VerifyClient, TAKE1,
116
                "SSL Client verify type "
116
                "SSL Client verify type "
117
                "('none', 'optional', 'require', 'optional_no_ca')")
117
                "('none', 'optional_no_verify', 'optional_no_ca', 'optional', 'require')")
118
    SSL_CMD_ALL(VerifyDepth, TAKE1,
118
    SSL_CMD_ALL(VerifyDepth, TAKE1,
119
                "SSL Client verify depth "
119
                "SSL Client verify depth "
120
                "('N' - number of intermediate certificates)")
120
                "('N' - number of intermediate certificates)")
Lines 147-153 Link Here
147
               "('XXX:...:XXX' - see manual)")
147
               "('XXX:...:XXX' - see manual)")
148
    SSL_CMD_SRV(ProxyVerify, TAKE1,
148
    SSL_CMD_SRV(ProxyVerify, TAKE1,
149
               "SSL Proxy: whether to verify the remote certificate "
149
               "SSL Proxy: whether to verify the remote certificate "
150
               "('on' or 'off')")
150
               "('none', 'optional_no_verify', 'optional_no_ca', 'optional', 'require')")
151
    SSL_CMD_SRV(ProxyVerifyDepth, TAKE1,
151
    SSL_CMD_SRV(ProxyVerifyDepth, TAKE1,
152
               "SSL Proxy: maximum certificate verification depth "
152
               "SSL Proxy: maximum certificate verification depth "
153
               "('N' - number of intermediate certificates)")
153
               "('N' - number of intermediate certificates)")

Return to bug 45922