Attachment #25539 for bug #45922

View | Details | Raw Unified | Return to bug 45922
Collapse All | Expand All

Lines 83-89 Link Here

(-)docs/manual/mod/mod_ssl.xml (-56 / +79 lines)
83	<tr><td><code>SSL_CLIENT_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of client's certificate</td></tr>	83	<tr><td><code>SSL_CLIENT_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of client's certificate</td></tr>
84	<tr><td><code>SSL_CLIENT_CERT</code></td> <td>string</td> <td>PEM-encoded client certificate</td></tr>	84	<tr><td><code>SSL_CLIENT_CERT</code></td> <td>string</td> <td>PEM-encoded client certificate</td></tr>
85	<tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td> <td>PEM-encoded certificates in client certificate chain</td></tr>	85	<tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td> <td>PEM-encoded certificates in client certificate chain</td></tr>
86	<tr><td><code>SSL_CLIENT_VERIFY</code></td> <td>string</td> <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS</code> or <code>FAILED:</code><em>reason</em></td></tr>	86	<tr><td><code>SSL_CLIENT_VERIFY</code></td> <td>string</td> <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS:<em>reason</em></code> or <code>FAILED:</code><em>reason</em></td></tr>
87	<tr><td><code>SSL_SERVER_M_VERSION</code></td> <td>string</td> <td>The version of the server certificate</td></tr>	87	<tr><td><code>SSL_SERVER_M_VERSION</code></td> <td>string</td> <td>The version of the server certificate</td></tr>
88	<tr><td><code>SSL_SERVER_M_SERIAL</code></td> <td>string</td> <td>The serial of the server certificate</td></tr>	88	<tr><td><code>SSL_SERVER_M_SERIAL</code></td> <td>string</td> <td>The serial of the server certificate</td></tr>
89	<tr><td><code>SSL_SERVER_S_DN</code></td> <td>string</td> <td>Subject DN in server's certificate</td></tr>	89	<tr><td><code>SSL_SERVER_S_DN</code></td> <td>string</td> <td>Subject DN in server's certificate</td></tr>
Lines 898-903 Link Here
898	specify an <em>all-in-one</em> file containing a concatenation of	898	specify an <em>all-in-one</em> file containing a concatenation of
899	PEM-encoded CA certificates.</p>	899	PEM-encoded CA certificates.</p>
900		900
		901	<p>For testing purposes, any available certificate (signed by any CA)
		902	may be requested by specifying a file containing only a single space
		903	character. However note that while this trick happens to work with
		904	most browsers, the SSL/TLS standards do not define the appropriate
		905	behavior when the set of acceptable CA names is empty, so this is not
		906	guaranteed to work with all browsers.</p>
		907
901	<example><title>Example</title>	908	<example><title>Example</title>
902	SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt	909	SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt
903	</example>	910	</example>
Lines 995-1025 Link Here
995		1002
996	<usage>	1003	<usage>
997	<p>	1004	<p>
998	This directive sets the Certificate verification level for the Client	1005	This directive sets the Certificate verification level for Client Certificate
999	Authentication. Notice that this directive can be used both in per-server and	1006	Authentication. Notice that this directive can be used both in per-server and
1000	per-directory context. In per-server context it applies to the client	1007	per-directory context. In per-server context it applies to the client
1001	authentication process used in the standard SSL handshake when a connection is	1008	authentication process in the initial SSL handshake when a connection is
1002	established. In per-directory context it forces a SSL renegotation with the	1009	established. In per-directory context it forces a SSL renegotation with the
1003	reconfigured client verification level after the HTTP request was read but	1010	reconfigured client verification level after the HTTP request is read but
1004	before the HTTP response is sent.</p>	1011	before the HTTP response is sent.</p>
1005	<p>	1012	<p>
1006	The following levels are available for <em>level</em>:</p>	1013	The following levels are available for <em>level</em>:</p>
1007	<ul>	1014	<ul>
1008	<li><strong>none</strong>:	1015	<li><code>none</code>
1009	no client Certificate is required at all</li>	1016	<p>No client Certificate is requested.</p></li>
1010	<li><strong>optional</strong>:	1017	<li><code>optional_no_verify</code>
1011	the client <em>may</em> present a valid Certificate</li>	1018	<p>The client is asked to present a Certificate signed by one of the
1012	<li><strong>require</strong>:	1019	acceptable CA Certificates, but will be accepted even if no Certificate is
1013	the client <em>has to</em> present a valid Certificate</li>	1020	provided, if the provided Certificate is not signed by one of the trusted
1014	<li><strong>optional_no_ca</strong>:	1021	CA Certificates, or if the provided Certificate has been revoked or is
1015	the client may present a valid Certificate<br />	1022	otherwise invalid.</p></li>
1016	but it need not to be (successfully) verifiable.</li>	1023	<li><code>optional_no_ca</code>
		1024	<p>The client is asked to present a Certificate signed by one of the
		1025	acceptable CA Certificates, and will be accepted even if no Certificate is
		1026	provided or if the provided Certificate is not signed by one of the
		1027	trusted CA Certificates, but will be disconnected if the provided
		1028	Certificate has been revoked or is otherwise invalid.</p></li>
		1029	<li><code>optional</code>
		1030	<p>The client is asked to present a Certificate signed by one of the
		1031	acceptable CA Certificates, and will be accepted even if no Certificate is
		1032	provided, but will be disconnected if the provided Certificate is not
		1033	signed by one of the trusted CA Certificates, has been revoked, or is
		1034	otherwise invalid.</p></li>
		1035	<li><code>require</code>
		1036	<p>The client is asked to present a Certificate signed by one of the
		1037	acceptable CA Certificates, and will be disconnected if no Certificate is
		1038	provided, if the provided Certificate is not signed by on of the trusted CA
		1039	Certificates, or if the provided Certificate has been revoked or is
		1040	otherwise invalid.</p></li>
1017	</ul>	1041	</ul>
1018	<p>In practice only levels <strong>none</strong> and	1042	<p>In practice, most users will want either <strong>none</strong> or
1019	<strong>require</strong> are really interesting, because level	1043	<strong>require</strong>, as the other levels allow users to bypass the
1020	<strong>optional</strong> doesn't work with all browsers and level	1044	authentication mechanism. However, the other levels may be useful for testing,
1021	<strong>optional_no_ca</strong> is actually against the idea of	1045	or if your web application does it's own Certificate verification.</p>
1022	authentication (but can be used to establish SSL test pages, etc.)</p>	1046	<p>See the <directive module="mod_ssl">SSLCADNRequestFile</directive> and
		1047	<directive module="mod_ssl">SSLCADNRequestPath</directive> directives to
		1048	configure the list of acceptable CA Certificates, and see the
		1049	<directive module="mod_ssl">SSLCACertificateFile</directive> and
		1050	<directive module="mod_ssl">SSLCACertificatePath</directive> directives to
		1051	configure the list of trusted CA Certificates.</p>
		1052	<p>Note that if SSLv2 is used with one of the <strong>optional</strong> levels
		1053	and no Certificate signed by one of the acceptable CA Certificates is available,
		1054	the browser may give up and disconnect rather than continuing without providing
		1055	a Certificate. If SSLv3 or TLS are used, the browser should always either
		1056	provide a Certificate or attempt to continue without a Certificate.</p>
1023	<example><title>Example</title>	1057	<example><title>Example</title>
1024	SSLVerifyClient require	1058	SSLVerifyClient require
1025	</example>	1059	</example>
Lines 1418-1458 Link Here
1418	<syntax>SSLProxyVerify <em>level</em></syntax>	1452	<syntax>SSLProxyVerify <em>level</em></syntax>
1419	<default>SSLProxyVerify none</default>	1453	<default>SSLProxyVerify none</default>
1420	<contextlist><context>server config</context>	1454	<contextlist><context>server config</context>
1421	<context>virtual host</context>	1455	<context>virtual host</context></contextlist>
1422	<context>directory</context>
1423	<context>.htaccess</context></contextlist>
1424	<override>AuthConfig</override>
1425		1456
1426	<usage>	1457	<usage>
1427
1428	<p>When a proxy is configured to forward requests to a remote SSL	1458	<p>When a proxy is configured to forward requests to a remote SSL
1429	server, this directive can be used to configure certificate	1459	server, this directive can be used to configure verification of the
1430	verification of the remote server. Notice that this directive can be	1460	remote server's SSL Certificate.</p>
1431	used both in per-server and per-directory context. In per-server
1432	context it applies to the remote server authentication process used in
1433	the standard SSL handshake when a connection is established by the
1434	proxy. In per-directory context it forces a SSL renegotation with the
1435	reconfigured remote server verification level after the HTTP request
1436	was read but before the HTTP response is sent.</p>
1437
1438	<p>	1461	<p>
1439	The following levels are available for <em>level</em>:</p>	1462	The following levels are available for <em>level</em>:</p>
1440	<ul>	1463	<ul>
1441	<li><strong>none</strong>:	1464	<li><code>none</code>
1442	no remote server Certificate is required at all</li>	1465	<p>No remote server Certificate verification will be performed.</p></li>
1443	<li><strong>optional</strong>:	1466	<li><code>optional_no_verify</code>
1444	the remote server <em>may</em> present a valid Certificate</li>	1467	<p>If the remote server provides a Certificate, it will be verified, but
1445	<li><strong>require</strong>:	1468	the result will be ignored.</p></li>
1446	the remote server <em>has to</em> present a valid Certificate</li>	1469	<li><code>optional_no_ca</code>
1447	<li><strong>optional_no_ca</strong>:	1470	<p>If the remote server provides a Certificate, it will be verified. The
1448	the remote server may present a valid Certificate<br />	1471	connection will be accepted even if the Certificate is not signed by one of
1449	but it need not to be (successfully) verifiable.</li>	1472	the CAs listed in
		1473	<directive module="mod_ssl">SSLProxyCACertificateFile</directive> or
		1474	<directive module="mod_ssl">SSLProxyCACertificatePath</directive>, but will
		1475	be rejected if verification fails for any other reason.</p></li>
		1476	<li><code>optional</code>
		1477	<p>If the remote server provides a Certificate, it will be verified, and the
		1478	connection will be rejected if verification fails.</p></li>
		1479	<li><code>require</code>
		1480	<p>The connection will be rejected unless the remote server provides a
		1481	Certificate and that Certificate is successfully verified.</p></li>
1450	</ul>	1482	</ul>
1451	<p>In practice only levels <strong>none</strong> and	1483	<p>In practice, most users will want either <strong>none</strong> or
1452	<strong>require</strong> are really interesting, because level	1484	<strong>require</strong>, as the other levels allow a remote server to bypass
1453	<strong>optional</strong> doesn't work with all servers and level	1485	the authentication mechanism. However, the other levels may be useful for
1454	<strong>optional_no_ca</strong> is actually against the idea of	1486	testing.</p>
1455	authentication (but can be used to establish SSL test pages, etc.)</p>
1456	<example><title>Example</title>	1487	<example><title>Example</title>
1457	SSLProxyVerify require	1488	SSLProxyVerify require
1458	</example>	1489	</example>
Lines 1466-1485 Link Here
1466	<syntax>SSLProxyVerifyDepth <em>number</em></syntax>	1497	<syntax>SSLProxyVerifyDepth <em>number</em></syntax>
1467	<default>SSLProxyVerifyDepth 1</default>	1498	<default>SSLProxyVerifyDepth 1</default>
1468	<contextlist><context>server config</context>	1499	<contextlist><context>server config</context>
1469	<context>virtual host</context>	1500	<context>virtual host</context></contextlist>
1470	<context>directory</context>
1471	<context>.htaccess</context></contextlist>
1472	<override>AuthConfig</override>
1473		1501
1474	<usage>	1502	<usage>
1475	<p>	1503	<p>
1476	This directive sets how deeply mod_ssl should verify before deciding that the	1504	This directive sets how deeply mod_ssl should verify before deciding that the
1477	remote server does not have a valid certificate. Notice that this directive can be	1505	remote server does not have a valid certificate.</p>
1478	used both in per-server and per-directory context. In per-server context it
1479	applies to the client authentication process used in the standard SSL
1480	handshake when a connection is established. In per-directory context it forces
1481	a SSL renegotation with the reconfigured remote server verification depth after the
1482	HTTP request was read but before the HTTP response is sent.</p>
1483	<p>	1506	<p>
1484	The depth actually is the maximum number of intermediate certificate issuers,	1507	The depth actually is the maximum number of intermediate certificate issuers,
1485	i.e. the number of CA certificates which are max allowed to be followed while	1508	i.e. the number of CA certificates which are max allowed to be followed while

Lines 221-227 Link Here

(-)modules/ssl/ssl_private.h (-1 / +2 lines)
221	SSL_CVERIFY_NONE = 0,	221	SSL_CVERIFY_NONE = 0,
222	SSL_CVERIFY_OPTIONAL = 1,	222	SSL_CVERIFY_OPTIONAL = 1,
223	SSL_CVERIFY_REQUIRE = 2,	223	SSL_CVERIFY_REQUIRE = 2,
224	SSL_CVERIFY_OPTIONAL_NO_CA = 3	224	SSL_CVERIFY_OPTIONAL_NO_CA = 3,
		225	SSL_CVERIFY_OPTIONAL_NO_VERIFY = 4
225	} ssl_verify_t;	226	} ssl_verify_t;
226		227
227	#define SSL_VERIFY_PEER_STRICT \	228	#define SSL_VERIFY_PEER_STRICT \

Lines 610-616 Link Here

(-)modules/ssl/ssl_engine_init.c (-1 / +2 lines)
610	}	610	}
611		611
612	if ((mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL) \|\|	612	if ((mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL) \|\|
613	(mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))	613	(mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) \|\|
		614	(mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY))
614	{	615	{
615	verify \|= SSL_VERIFY_PEER;	616	verify \|= SSL_VERIFY_PEER;
616	}	617	}

Lines 914-919 Link Here

(-)modules/ssl/ssl_engine_config.c (+3 lines)
914	else if (strcEQ(arg, "optional_no_ca")) {	914	else if (strcEQ(arg, "optional_no_ca")) {
915	*id = SSL_CVERIFY_OPTIONAL_NO_CA;	915	*id = SSL_CVERIFY_OPTIONAL_NO_CA;
916	}	916	}
		917	else if (strcEQ(arg, "optional_no_verify")) {
		918	*id = SSL_CVERIFY_OPTIONAL_NO_VERIFY;
		919	}
917	else {	920	else {
918	return apr_pstrcat(parms->temp_pool, parms->cmd->name,	921	return apr_pstrcat(parms->temp_pool, parms->cmd->name,
919	": Invalid argument '", arg, "'",	922	": Invalid argument '", arg, "'",




    if ((verify_result != X509_V_OK) ||
        sslconn->verify_error)
    {
        const char *error = sslconn->verify_error ?
            sslconn->verify_error :
            X509_verify_cert_error_string(verify_result);

        if ((ssl_verify_error_is_optional(verify_result) &&
            sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) ||
            sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY)
        {
            /* leaving this log message as an error for the moment,
             * according to the mod_ssl docs:

             * in 1.x
             */
            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
                          "SSL client authentication failed, accepting "
                          "certificate based on \"SSLVerifyClient "
                          "optional_no_ca\" or \"SSLVerifyClient "
                          "optional_no_verify\" configuration: %s",
                          error ? error : "unknown");
            ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, server);
        }
        else {
            const char *error = sslconn->verify_error ?
                sslconn->verify_error :
                X509_verify_cert_error_string(verify_result);

            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
                         "SSL client authentication failed: %s",
                         error ? error : "unknown");

Lines 617-625 Link Here

(-)modules/ssl/ssl_engine_vars.c (-2 / +5 lines)
617	else if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs != NULL)	617	else if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs != NULL)
618	/* client verification done successful */	618	/* client verification done successful */
619	result = "SUCCESS";	619	result = "SUCCESS";
620	else if (vrc == X509_V_OK && vinfo != NULL && strEQ(vinfo, "GENEROUS"))	620	else if (vinfo != NULL && strEQ(vinfo, "GENEROUS"))
621	/* client verification done in generous way */	621	/* client verification done in generous way */
622	result = "GENEROUS";	622	if (verr)
		623	result = apr_psprintf(p, "GENEROUS:%s", verr);
		624	else
		625	result = "GENEROUS";
623	else	626	else
624	/* client verification failed */	627	/* client verification failed */
625	result = apr_psprintf(p, "FAILED:%s", verr);	628	result = apr_psprintf(p, "FAILED:%s", verr);




     * We force a renegotiation if the reconfigured/new verify type is
     * stronger than the currently active verify type.
     *
     * The order is: none << optional_no_verify << optional_no_ca << optional << require
     *
     * Additionally the following optimization is possible here: When the
     * currently active verify type is "none" but a client certificate is


        if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||
            (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) ||
            (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_VERIFY) ||
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) ||
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY))
        {
            verify |= SSL_VERIFY_PEER;
        }

    }

    if (ssl_verify_error_is_optional(errnum) &&
        ((verify == SSL_CVERIFY_OPTIONAL_NO_CA) ||
         (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY)))
    {
        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
                      "Certificate Verification: Error (%d) but verifiable "
                      "Issuer is configured as optional, therefore we're "
                      "accepting the certificate: %s", errnum,
                      X509_verify_cert_error_string(errnum));

        sslconn->verify_info = "GENEROUS";
        sslconn->verify_error = X509_verify_cert_error_string(errnum);
        ok = TRUE;
    }


     * If we already know it's not ok, log the real reason
     */
    if (!ok) {
        if (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY) {
            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
                          "Certificate Verification: Error (%d) but "
                          "verification is configured as optional, therefore "
                          "we're accepting the certificate: %s", errnum,
                          X509_verify_cert_error_string(errnum));

            sslconn->verify_info = "GENEROUS";
            if (!sslconn->verify_error) {
                sslconn->verify_error = X509_verify_cert_error_string(errnum);
            }
            ok = TRUE;
        }
        else {
            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
                          "Certificate Verification: Error (%d): %s",
                          errnum, X509_verify_cert_error_string(errnum));

            if (sslconn->client_cert) {
                X509_free(sslconn->client_cert);
                sslconn->client_cert = NULL;
            }
            sslconn->client_dn = NULL;
            sslconn->verify_error = X509_verify_cert_error_string(errnum);
        }
    }

    /*

    }

    if (errdepth > depth) {
        if (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY) {
            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
                          "Certificate Verification: Certificate Chain too long "
                          "(chain has %d certificates, but maximum allowed are "
                          "only %d) but verification is configured as optional, "
                          "therefore we're accepting the certificate",
                          errdepth, depth);

            sslconn->verify_info = "GENEROUS";
            if (!sslconn->verify_error) {
                errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;
                sslconn->verify_error = X509_verify_cert_error_string(errnum);
            }
        }
        else {
            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
                          "Certificate Verification: Certificate Chain too long "
                          "(chain has %d certificates, but maximum allowed are "
                          "only %d)",
                          errdepth, depth);

            errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;
            sslconn->verify_error = X509_verify_cert_error_string(errnum);

            ok = FALSE;
        }
    }

    /*

Return to bug 45922

Lines 1202-1209 Link Here

(-)modules/ssl/ssl_engine_io.c (-10 / +12 lines)
1202	if ((verify_result != X509_V_OK) \|\|	1202	if ((verify_result != X509_V_OK) \|\|
1203	sslconn->verify_error)	1203	sslconn->verify_error)
1204	{	1204	{
1205	if (ssl_verify_error_is_optional(verify_result) &&	1205	const char *error = sslconn->verify_error ?
1206	(sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))	1206	sslconn->verify_error :
		1207	X509_verify_cert_error_string(verify_result);
		1208
		1209	if ((ssl_verify_error_is_optional(verify_result) &&
		1210	sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) \|\|
		1211	sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY)
1207	{	1212	{
1208	/* leaving this log message as an error for the moment,	1213	/* leaving this log message as an error for the moment,
1209	* according to the mod_ssl docs:	1214	* according to the mod_ssl docs:
Lines 1214-1230 Link Here
1214	* in 1.x	1219	* in 1.x
1215	*/	1220	*/
1216	ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,	1221	ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
1217	"SSL client authentication failed, "	1222	"SSL client authentication failed, accepting "
1218	"accepting certificate based on "	1223	"certificate based on \"SSLVerifyClient "
1219	"\"SSLVerifyClient optional_no_ca\" "	1224	"optional_no_ca\" or \"SSLVerifyClient "
1220	"configuration");	1225	"optional_no_verify\" configuration: %s",
		1226	error ? error : "unknown");
1221	ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, server);	1227	ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, server);
1222	}	1228	}
1223	else {	1229	else {
1224	const char *error = sslconn->verify_error ?
1225	sslconn->verify_error :
1226	X509_verify_cert_error_string(verify_result);
1227
1228	ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,	1230	ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
1229	"SSL client authentication failed: %s",	1231	"SSL client authentication failed: %s",
1230	error ? error : "unknown");	1232	error ? error : "unknown");

Lines 519-525 Link Here

(-)modules/ssl/ssl_engine_kernel.c (-22 / +58 lines)
519	* We force a renegotiation if the reconfigured/new verify type is	519	* We force a renegotiation if the reconfigured/new verify type is
520	* stronger than the currently active verify type.	520	* stronger than the currently active verify type.
521	*	521	*
522	* The order is: none << optional_no_ca << optional << require	522	* The order is: none << optional_no_verify << optional_no_ca << optional << require
523	*	523	*
524	* Additionally the following optimization is possible here: When the	524	* Additionally the following optimization is possible here: When the
525	* currently active verify type is "none" but a client certificate is	525	* currently active verify type is "none" but a client certificate is
Lines 541-548 Link Here
541		541
542	if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) \|\|	542	if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) \|\|
543	(dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) \|\|	543	(dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) \|\|
		544	(dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_VERIFY) \|\|
544	(sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) \|\|	545	(sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) \|\|
545	(sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))	546	(sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) \|\|
		547	(sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY))
546	{	548	{
547	verify \|= SSL_VERIFY_PEER;	549	verify \|= SSL_VERIFY_PEER;
548	}	550	}
Lines 1377-1390 Link Here
1377	}	1379	}
1378		1380
1379	if (ssl_verify_error_is_optional(errnum) &&	1381	if (ssl_verify_error_is_optional(errnum) &&
1380	(verify == SSL_CVERIFY_OPTIONAL_NO_CA))	1382	((verify == SSL_CVERIFY_OPTIONAL_NO_CA) \|\|
		1383	(verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY)))
1381	{	1384	{
1382	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,	1385	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
1383	"Certificate Verification: Verifiable Issuer is "	1386	"Certificate Verification: Error (%d) but verifiable "
1384	"configured as optional, therefore we're accepting "	1387	"Issuer is configured as optional, therefore we're "
1385	"the certificate");	1388	"accepting the certificate: %s", errnum,
		1389	X509_verify_cert_error_string(errnum));
1386		1390
1387	sslconn->verify_info = "GENEROUS";	1391	sslconn->verify_info = "GENEROUS";
		1392	sslconn->verify_error = X509_verify_cert_error_string(errnum);
1388	ok = TRUE;	1393	ok = TRUE;
1389	}	1394	}
1390		1395
Lines 1424-1439 Link Here
1424	* If we already know it's not ok, log the real reason	1429	* If we already know it's not ok, log the real reason
1425	*/	1430	*/
1426	if (!ok) {	1431	if (!ok) {
1427	ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,	1432	if (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY) {
1428	"Certificate Verification: Error (%d): %s",	1433	ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
1429	errnum, X509_verify_cert_error_string(errnum));	1434	"Certificate Verification: Error (%d) but "
		1435	"verification is configured as optional, therefore "
		1436	"we're accepting the certificate: %s", errnum,
		1437	X509_verify_cert_error_string(errnum));
1430		1438
1431	if (sslconn->client_cert) {	1439	sslconn->verify_info = "GENEROUS";
1432	X509_free(sslconn->client_cert);	1440	if (!sslconn->verify_error) {
1433	sslconn->client_cert = NULL;	1441	sslconn->verify_error = X509_verify_cert_error_string(errnum);
		1442	}
		1443	ok = TRUE;
1434	}	1444	}
1435	sslconn->client_dn = NULL;	1445	else {
1436	sslconn->verify_error = X509_verify_cert_error_string(errnum);	1446	ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
		1447	"Certificate Verification: Error (%d): %s",
		1448	errnum, X509_verify_cert_error_string(errnum));
		1449
		1450	if (sslconn->client_cert) {
		1451	X509_free(sslconn->client_cert);
		1452	sslconn->client_cert = NULL;
		1453	}
		1454	sslconn->client_dn = NULL;
		1455	sslconn->verify_error = X509_verify_cert_error_string(errnum);
		1456	}
1437	}	1457	}
1438		1458
1439	/*	1459	/*
Lines 1447-1462 Link Here
1447	}	1467	}
1448		1468
1449	if (errdepth > depth) {	1469	if (errdepth > depth) {
1450	ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,	1470	if (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY) {
1451	"Certificate Verification: Certificate Chain too long "	1471	ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
1452	"(chain has %d certificates, but maximum allowed are "	1472	"Certificate Verification: Certificate Chain too long "
1453	"only %d)",	1473	"(chain has %d certificates, but maximum allowed are "
1454	errdepth, depth);	1474	"only %d) but verification is configured as optional, "
		1475	"therefore we're accepting the certificate",
		1476	errdepth, depth);
1455		1477
1456	errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;	1478	sslconn->verify_info = "GENEROUS";
1457	sslconn->verify_error = X509_verify_cert_error_string(errnum);	1479	if (!sslconn->verify_error) {
		1480	errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;
		1481	sslconn->verify_error = X509_verify_cert_error_string(errnum);
		1482	}
		1483	}
		1484	else {
		1485	ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
		1486	"Certificate Verification: Certificate Chain too long "
		1487	"(chain has %d certificates, but maximum allowed are "
		1488	"only %d)",
		1489	errdepth, depth);
1458		1490
1459	ok = FALSE;	1491	errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;
		1492	sslconn->verify_error = X509_verify_cert_error_string(errnum);
		1493
		1494	ok = FALSE;
		1495	}
1460	}	1496	}
1461		1497
1462	/*	1498	/*

Lines 114-120 Link Here

(-)modules/ssl/mod_ssl.c (-2 / +2 lines)
114	"('/path/to/file' - PEM encoded)")	114	"('/path/to/file' - PEM encoded)")
115	SSL_CMD_ALL(VerifyClient, TAKE1,	115	SSL_CMD_ALL(VerifyClient, TAKE1,
116	"SSL Client verify type "	116	"SSL Client verify type "
117	"('none', 'optional', 'require', 'optional_no_ca')")	117	"('none', 'optional_no_verify', 'optional_no_ca', 'optional', 'require')")
118	SSL_CMD_ALL(VerifyDepth, TAKE1,	118	SSL_CMD_ALL(VerifyDepth, TAKE1,
119	"SSL Client verify depth "	119	"SSL Client verify depth "
120	"('N' - number of intermediate certificates)")	120	"('N' - number of intermediate certificates)")
Lines 147-153 Link Here
147	"('XXX:...:XXX' - see manual)")	147	"('XXX:...:XXX' - see manual)")
148	SSL_CMD_SRV(ProxyVerify, TAKE1,	148	SSL_CMD_SRV(ProxyVerify, TAKE1,
149	"SSL Proxy: whether to verify the remote certificate "	149	"SSL Proxy: whether to verify the remote certificate "
150	"('on' or 'off')")	150	"('none', 'optional_no_verify', 'optional_no_ca', 'optional', 'require')")
151	SSL_CMD_SRV(ProxyVerifyDepth, TAKE1,	151	SSL_CMD_SRV(ProxyVerifyDepth, TAKE1,
152	"SSL Proxy: maximum certificate verification depth "	152	"SSL Proxy: maximum certificate verification depth "
153	"('N' - number of intermediate certificates)")	153	"('N' - number of intermediate certificates)")