Attachment 25539 Details for Bug 45922 – Patch for trunk

[patch] Patch for trunk

verify-trunk.patch (text/plain), 21.49 KB, created by Paul Donohue on 2010-06-07 12:25:38 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Paul Donohue

Created: 2010-06-07 12:25:38 UTC

Size: 21.49 KB

patch

obsolete

>Index: docs/manual/mod/mod_ssl.xml
>===================================================================
>--- docs/manual/mod/mod_ssl.xml	(revision 952305)
>+++ docs/manual/mod/mod_ssl.xml	(working copy)
>@@ -83,7 +83,7 @@
> <tr><td><code>SSL_CLIENT_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of client's certificate</td></tr>
> <tr><td><code>SSL_CLIENT_CERT</code></td> <td>string</td> <td>PEM-encoded client certificate</td></tr>
> <tr><td><code>SSL_CLIENT_CERT_CHAIN_</code>n</td> <td>string</td> <td>PEM-encoded certificates in client certificate chain</td></tr>
>-<tr><td><code>SSL_CLIENT_VERIFY</code></td> <td>string</td> <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS</code> or <code>FAILED:</code>reason</td></tr>
>+<tr><td><code>SSL_CLIENT_VERIFY</code></td> <td>string</td> <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS:reason</code> or <code>FAILED:</code>reason</td></tr>
> <tr><td><code>SSL_SERVER_M_VERSION</code></td> <td>string</td> <td>The version of the server certificate</td></tr>
> <tr><td><code>SSL_SERVER_M_SERIAL</code></td> <td>string</td> <td>The serial of the server certificate</td></tr>
> <tr><td><code>SSL_SERVER_S_DN</code></td> <td>string</td> <td>Subject DN in server's certificate</td></tr>
>@@ -898,6 +898,13 @@
> specify an all-in-one file containing a concatenation of
> PEM-encoded CA certificates.
> 
>+For testing purposes, any available certificate (signed by any CA)
>+may be requested by specifying a file containing only a single space
>+character. However note that while this trick happens to work with
>+most browsers, the SSL/TLS standards do not define the appropriate
>+behavior when the set of acceptable CA names is empty, so this is not
>+guaranteed to work with all browsers.
>+
> <example><title>Example</title>
> SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt
> </example>
>@@ -995,31 +1002,58 @@
> 
> <usage>
> 
>-This directive sets the Certificate verification level for the Client
>+This directive sets the Certificate verification level for Client Certificate
> Authentication. Notice that this directive can be used both in per-server and
> per-directory context. In per-server context it applies to the client
>-authentication process used in the standard SSL handshake when a connection is
>+authentication process in the initial SSL handshake when a connection is
> established. In per-directory context it forces a SSL renegotation with the
>-reconfigured client verification level after the HTTP request was read but
>+reconfigured client verification level after the HTTP request is read but
> before the HTTP response is sent.
> 
> The following levels are available for level:
> <ul>
>-<li>none:
>- no client Certificate is required at all</li>
>-<li>optional:
>- the client may present a valid Certificate</li>
>-<li>require:
>- the client has to present a valid Certificate</li>
>-<li>optional_no_ca:
>- the client may present a valid Certificate 
>- but it need not to be (successfully) verifiable.</li>
>+<li><code>none</code>
>+ No client Certificate is requested.</li>
>+<li><code>optional_no_verify</code>
>+ The client is asked to present a Certificate signed by one of the
>+ acceptable CA Certificates, but will be accepted even if no Certificate is
>+ provided, if the provided Certificate is not signed by one of the trusted
>+ CA Certificates, or if the provided Certificate has been revoked or is
>+ otherwise invalid.</li>
>+<li><code>optional_no_ca</code>
>+ The client is asked to present a Certificate signed by one of the
>+ acceptable CA Certificates, and will be accepted even if no Certificate is
>+ provided or if the provided Certificate is not signed by one of the
>+ trusted CA Certificates, but will be disconnected if the provided
>+ Certificate has been revoked or is otherwise invalid.</li>
>+<li><code>optional</code>
>+ The client is asked to present a Certificate signed by one of the
>+ acceptable CA Certificates, and will be accepted even if no Certificate is
>+ provided, but will be disconnected if the provided Certificate is not
>+ signed by one of the trusted CA Certificates, has been revoked, or is
>+ otherwise invalid.</li>
>+<li><code>require</code>
>+ The client is asked to present a Certificate signed by one of the
>+ acceptable CA Certificates, and will be disconnected if no Certificate is
>+ provided, if the provided Certificate is not signed by on of the trusted CA
>+ Certificates, or if the provided Certificate has been revoked or is
>+ otherwise invalid.</li>
> </ul>
>-In practice only levels none and
>-require are really interesting, because level
>-optional doesn't work with all browsers and level
>-optional_no_ca is actually against the idea of
>-authentication (but can be used to establish SSL test pages, etc.)
>+In practice, most users will want either none or
>+require, as the other levels allow users to bypass the
>+authentication mechanism. However, the other levels may be useful for testing,
>+or if your web application does it's own Certificate verification.
>+See the <directive module="mod_ssl">SSLCADNRequestFile</directive> and
>+<directive module="mod_ssl">SSLCADNRequestPath</directive> directives to
>+configure the list of acceptable CA Certificates, and see the
>+<directive module="mod_ssl">SSLCACertificateFile</directive> and
>+<directive module="mod_ssl">SSLCACertificatePath</directive> directives to
>+configure the list of trusted CA Certificates.
>+Note that if SSLv2 is used with one of the optional levels
>+and no Certificate signed by one of the acceptable CA Certificates is available,
>+the browser may give up and disconnect rather than continuing without providing
>+a Certificate. If SSLv3 or TLS are used, the browser should always either
>+provide a Certificate or attempt to continue without a Certificate.
> <example><title>Example</title>
> SSLVerifyClient require
> </example>
>@@ -1418,41 +1452,38 @@
> <syntax>SSLProxyVerify level</syntax>
> <default>SSLProxyVerify none</default>
> <contextlist><context>server config</context>
>-<context>virtual host</context>
>-<context>directory</context>
>-<context>.htaccess</context></contextlist>
>-<override>AuthConfig</override>
>+<context>virtual host</context></contextlist>
> 
> <usage>
>-
> When a proxy is configured to forward requests to a remote SSL
>-server, this directive can be used to configure certificate
>-verification of the remote server. Notice that this directive can be
>-used both in per-server and per-directory context. In per-server
>-context it applies to the remote server authentication process used in
>-the standard SSL handshake when a connection is established by the
>-proxy. In per-directory context it forces a SSL renegotation with the
>-reconfigured remote server verification level after the HTTP request
>-was read but before the HTTP response is sent.
>-
>+server, this directive can be used to configure verification of the
>+remote server's SSL Certificate.
> 
> The following levels are available for level:
> <ul>
>-<li>none:
>- no remote server Certificate is required at all</li>
>-<li>optional:
>- the remote server may present a valid Certificate</li>
>-<li>require:
>- the remote server has to present a valid Certificate</li>
>-<li>optional_no_ca:
>- the remote server may present a valid Certificate 
>- but it need not to be (successfully) verifiable.</li>
>+<li><code>none</code>
>+ No remote server Certificate verification will be performed.</li>
>+<li><code>optional_no_verify</code>
>+ If the remote server provides a Certificate, it will be verified, but
>+ the result will be ignored.</li>
>+<li><code>optional_no_ca</code>
>+ If the remote server provides a Certificate, it will be verified. The
>+ connection will be accepted even if the Certificate is not signed by one of
>+ the CAs listed in
>+ <directive module="mod_ssl">SSLProxyCACertificateFile</directive> or
>+ <directive module="mod_ssl">SSLProxyCACertificatePath</directive>, but will
>+ be rejected if verification fails for any other reason.</li>
>+<li><code>optional</code>
>+ If the remote server provides a Certificate, it will be verified, and the
>+ connection will be rejected if verification fails.</li>
>+<li><code>require</code>
>+ The connection will be rejected unless the remote server provides a
>+ Certificate and that Certificate is successfully verified.</li>
> </ul>
>-In practice only levels none and
>-require are really interesting, because level
>-optional doesn't work with all servers and level
>-optional_no_ca is actually against the idea of
>-authentication (but can be used to establish SSL test pages, etc.)
>+In practice, most users will want either none or
>+require, as the other levels allow a remote server to bypass
>+the authentication mechanism. However, the other levels may be useful for
>+testing.
> <example><title>Example</title>
> SSLProxyVerify require
> </example>
>@@ -1466,20 +1497,12 @@
> <syntax>SSLProxyVerifyDepth number</syntax>
> <default>SSLProxyVerifyDepth 1</default>
> <contextlist><context>server config</context>
>-<context>virtual host</context>
>-<context>directory</context>
>-<context>.htaccess</context></contextlist>
>-<override>AuthConfig</override>
>+<context>virtual host</context></contextlist>
> 
> <usage>
> 
> This directive sets how deeply mod_ssl should verify before deciding that the
>-remote server does not have a valid certificate. Notice that this directive can be
>-used both in per-server and per-directory context. In per-server context it
>-applies to the client authentication process used in the standard SSL
>-handshake when a connection is established. In per-directory context it forces
>-a SSL renegotation with the reconfigured remote server verification depth after the
>-HTTP request was read but before the HTTP response is sent.
>+remote server does not have a valid certificate.
> 
> The depth actually is the maximum number of intermediate certificate issuers,
> i.e. the number of CA certificates which are max allowed to be followed while
>Index: modules/ssl/ssl_private.h
>===================================================================
>--- modules/ssl/ssl_private.h	(revision 952305)
>+++ modules/ssl/ssl_private.h	(working copy)
>@@ -221,7 +221,8 @@
> SSL_CVERIFY_NONE = 0,
> SSL_CVERIFY_OPTIONAL = 1,
> SSL_CVERIFY_REQUIRE = 2,
>- SSL_CVERIFY_OPTIONAL_NO_CA = 3
>+ SSL_CVERIFY_OPTIONAL_NO_CA = 3,
>+ SSL_CVERIFY_OPTIONAL_NO_VERIFY = 4
> } ssl_verify_t;
> 
> #define SSL_VERIFY_PEER_STRICT \
>Index: modules/ssl/ssl_engine_init.c
>===================================================================
>--- modules/ssl/ssl_engine_init.c	(revision 952305)
>+++ modules/ssl/ssl_engine_init.c	(working copy)
>@@ -610,7 +610,8 @@
> }
> 
> if ((mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
>- (mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
>+ (mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) ||
>+ (mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY))
> {
> verify |= SSL_VERIFY_PEER;
> }
>Index: modules/ssl/ssl_engine_config.c
>===================================================================
>--- modules/ssl/ssl_engine_config.c	(revision 952305)
>+++ modules/ssl/ssl_engine_config.c	(working copy)
>@@ -914,6 +914,9 @@
> else if (strcEQ(arg, "optional_no_ca")) {
> *id = SSL_CVERIFY_OPTIONAL_NO_CA;
> }
>+ else if (strcEQ(arg, "optional_no_verify")) {
>+ *id = SSL_CVERIFY_OPTIONAL_NO_VERIFY;
>+ }
> else {
> return apr_pstrcat(parms->temp_pool, parms->cmd->name,
> ": Invalid argument '", arg, "'",
>Index: modules/ssl/ssl_engine_io.c
>===================================================================
>--- modules/ssl/ssl_engine_io.c	(revision 952305)
>+++ modules/ssl/ssl_engine_io.c	(working copy)
>@@ -1202,8 +1202,13 @@
> if ((verify_result != X509_V_OK) ||
> sslconn->verify_error)
> {
>- if (ssl_verify_error_is_optional(verify_result) &&
>- (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
>+ const char *error = sslconn->verify_error ?
>+ sslconn->verify_error :
>+ X509_verify_cert_error_string(verify_result);
>+
>+ if ((ssl_verify_error_is_optional(verify_result) &&
>+ sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) ||
>+ sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY)
> {
> /* leaving this log message as an error for the moment,
> * according to the mod_ssl docs:
>@@ -1214,17 +1219,14 @@
> * in 1.x
> */
> ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
>- "SSL client authentication failed, "
>- "accepting certificate based on "
>- "\"SSLVerifyClient optional_no_ca\" "
>- "configuration");
>+ "SSL client authentication failed, accepting "
>+ "certificate based on \"SSLVerifyClient "
>+ "optional_no_ca\" or \"SSLVerifyClient "
>+ "optional_no_verify\" configuration: %s",
>+ error ? error : "unknown");
> ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, server);
> }
> else {
>- const char *error = sslconn->verify_error ?
>- sslconn->verify_error :
>- X509_verify_cert_error_string(verify_result);
>-
> ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
> "SSL client authentication failed: %s",
> error ? error : "unknown");
>Index: modules/ssl/ssl_engine_vars.c
>===================================================================
>--- modules/ssl/ssl_engine_vars.c	(revision 952305)
>+++ modules/ssl/ssl_engine_vars.c	(working copy)
>@@ -617,9 +617,12 @@
> else if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs != NULL)
> /* client verification done successful */
> result = "SUCCESS";
>- else if (vrc == X509_V_OK && vinfo != NULL && strEQ(vinfo, "GENEROUS"))
>+ else if (vinfo != NULL && strEQ(vinfo, "GENEROUS"))
> /* client verification done in generous way */
>- result = "GENEROUS";
>+ if (verr)
>+ result = apr_psprintf(p, "GENEROUS:%s", verr);
>+ else
>+ result = "GENEROUS";
> else
> /* client verification failed */
> result = apr_psprintf(p, "FAILED:%s", verr);
>Index: modules/ssl/ssl_engine_kernel.c
>===================================================================
>--- modules/ssl/ssl_engine_kernel.c	(revision 952305)
>+++ modules/ssl/ssl_engine_kernel.c	(working copy)
>@@ -519,7 +519,7 @@
> * We force a renegotiation if the reconfigured/new verify type is
> * stronger than the currently active verify type.
> *
>- * The order is: none << optional_no_ca << optional << require
>+ * The order is: none << optional_no_verify << optional_no_ca << optional << require
> *
> * Additionally the following optimization is possible here: When the
> * currently active verify type is "none" but a client certificate is
>@@ -541,8 +541,10 @@
> 
> if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||
> (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) ||
>+ (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_VERIFY) ||
> (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
>- (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
>+ (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) ||
>+ (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY))
> {
> verify |= SSL_VERIFY_PEER;
> }
>@@ -1377,14 +1379,17 @@
> }
> 
> if (ssl_verify_error_is_optional(errnum) &&
>- (verify == SSL_CVERIFY_OPTIONAL_NO_CA))
>+ ((verify == SSL_CVERIFY_OPTIONAL_NO_CA) ||
>+ (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY)))
> {
> ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
>- "Certificate Verification: Verifiable Issuer is "
>- "configured as optional, therefore we're accepting "
>- "the certificate");
>+ "Certificate Verification: Error (%d) but verifiable "
>+ "Issuer is configured as optional, therefore we're "
>+ "accepting the certificate: %s", errnum,
>+ X509_verify_cert_error_string(errnum));
> 
> sslconn->verify_info = "GENEROUS";
>+ sslconn->verify_error = X509_verify_cert_error_string(errnum);
> ok = TRUE;
> }
> 
>@@ -1424,16 +1429,31 @@
> * If we already know it's not ok, log the real reason
> */
> if (!ok) {
>- ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
>- "Certificate Verification: Error (%d): %s",
>- errnum, X509_verify_cert_error_string(errnum));
>+ if (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY) {
>+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
>+ "Certificate Verification: Error (%d) but "
>+ "verification is configured as optional, therefore "
>+ "we're accepting the certificate: %s", errnum,
>+ X509_verify_cert_error_string(errnum));
> 
>- if (sslconn->client_cert) {
>- X509_free(sslconn->client_cert);
>- sslconn->client_cert = NULL;
>+ sslconn->verify_info = "GENEROUS";
>+ if (!sslconn->verify_error) {
>+ sslconn->verify_error = X509_verify_cert_error_string(errnum);
>+ }
>+ ok = TRUE;
> }
>- sslconn->client_dn = NULL;
>- sslconn->verify_error = X509_verify_cert_error_string(errnum);
>+ else {
>+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
>+ "Certificate Verification: Error (%d): %s",
>+ errnum, X509_verify_cert_error_string(errnum));
>+
>+ if (sslconn->client_cert) {
>+ X509_free(sslconn->client_cert);
>+ sslconn->client_cert = NULL;
>+ }
>+ sslconn->client_dn = NULL;
>+ sslconn->verify_error = X509_verify_cert_error_string(errnum);
>+ }
> }
> 
> /*
>@@ -1447,16 +1467,32 @@
> }
> 
> if (errdepth > depth) {
>- ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
>- "Certificate Verification: Certificate Chain too long "
>- "(chain has %d certificates, but maximum allowed are "
>- "only %d)",
>- errdepth, depth);
>+ if (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY) {
>+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
>+ "Certificate Verification: Certificate Chain too long "
>+ "(chain has %d certificates, but maximum allowed are "
>+ "only %d) but verification is configured as optional, "
>+ "therefore we're accepting the certificate",
>+ errdepth, depth);
> 
>- errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;
>- sslconn->verify_error = X509_verify_cert_error_string(errnum);
>+ sslconn->verify_info = "GENEROUS";
>+ if (!sslconn->verify_error) {
>+ errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;
>+ sslconn->verify_error = X509_verify_cert_error_string(errnum);
>+ }
>+ }
>+ else {
>+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
>+ "Certificate Verification: Certificate Chain too long "
>+ "(chain has %d certificates, but maximum allowed are "
>+ "only %d)",
>+ errdepth, depth);
> 
>- ok = FALSE;
>+ errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;
>+ sslconn->verify_error = X509_verify_cert_error_string(errnum);
>+
>+ ok = FALSE;
>+ }
> }
> 
> /*
>Index: modules/ssl/mod_ssl.c
>===================================================================
>--- modules/ssl/mod_ssl.c	(revision 952305)
>+++ modules/ssl/mod_ssl.c	(working copy)
>@@ -114,7 +114,7 @@
> "('/path/to/file' - PEM encoded)")
> SSL_CMD_ALL(VerifyClient, TAKE1,
> "SSL Client verify type "
>- "('none', 'optional', 'require', 'optional_no_ca')")
>+ "('none', 'optional_no_verify', 'optional_no_ca', 'optional', 'require')")
> SSL_CMD_ALL(VerifyDepth, TAKE1,
> "SSL Client verify depth "
> "('N' - number of intermediate certificates)")
>@@ -147,7 +147,7 @@
> "('XXX:...:XXX' - see manual)")
> SSL_CMD_SRV(ProxyVerify, TAKE1,
> "SSL Proxy: whether to verify the remote certificate "
>- "('on' or 'off')")
>+ "('none', 'optional_no_verify', 'optional_no_ca', 'optional', 'require')")
> SSL_CMD_SRV(ProxyVerifyDepth, TAKE1,
> "SSL Proxy: maximum certificate verification depth "
> "('N' - number of intermediate certificates)")

Actions: View | Diff

Attachments on bug 45922: 25297 | 25298 | 25303 | 25304 | 25313 | 25314 | 25539