ASF Bugzilla – Attachment 25539 Details for
Bug 45922
Expand the conditions under which "SSLVerifyClient optional_no_ca" works
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for trunk
verify-trunk.patch (text/plain), 21.49 KB, created by
Paul Donohue
on 2010-06-07 12:25:38 UTC
(
hide
)
Description:
Patch for trunk
Filename:
MIME Type:
Creator:
Paul Donohue
Created:
2010-06-07 12:25:38 UTC
Size:
21.49 KB
patch
obsolete
>Index: docs/manual/mod/mod_ssl.xml >=================================================================== >--- docs/manual/mod/mod_ssl.xml (revision 952305) >+++ docs/manual/mod/mod_ssl.xml (working copy) >@@ -83,7 +83,7 @@ > <tr><td><code>SSL_CLIENT_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of client's certificate</td></tr> > <tr><td><code>SSL_CLIENT_CERT</code></td> <td>string</td> <td>PEM-encoded client certificate</td></tr> > <tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td> <td>PEM-encoded certificates in client certificate chain</td></tr> >-<tr><td><code>SSL_CLIENT_VERIFY</code></td> <td>string</td> <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS</code> or <code>FAILED:</code><em>reason</em></td></tr> >+<tr><td><code>SSL_CLIENT_VERIFY</code></td> <td>string</td> <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS:<em>reason</em></code> or <code>FAILED:</code><em>reason</em></td></tr> > <tr><td><code>SSL_SERVER_M_VERSION</code></td> <td>string</td> <td>The version of the server certificate</td></tr> > <tr><td><code>SSL_SERVER_M_SERIAL</code></td> <td>string</td> <td>The serial of the server certificate</td></tr> > <tr><td><code>SSL_SERVER_S_DN</code></td> <td>string</td> <td>Subject DN in server's certificate</td></tr> >@@ -898,6 +898,13 @@ > specify an <em>all-in-one</em> file containing a concatenation of > PEM-encoded CA certificates.</p> > >+<p>For testing purposes, any available certificate (signed by any CA) >+may be requested by specifying a file containing only a single space >+character. However note that while this trick happens to work with >+most browsers, the SSL/TLS standards do not define the appropriate >+behavior when the set of acceptable CA names is empty, so this is not >+guaranteed to work with all browsers.</p> >+ > <example><title>Example</title> > SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt > </example> >@@ -995,31 +1002,58 @@ > > <usage> > <p> >-This directive sets the Certificate verification level for the Client >+This directive sets the Certificate verification level for Client Certificate > Authentication. Notice that this directive can be used both in per-server and > per-directory context. In per-server context it applies to the client >-authentication process used in the standard SSL handshake when a connection is >+authentication process in the initial SSL handshake when a connection is > established. In per-directory context it forces a SSL renegotation with the >-reconfigured client verification level after the HTTP request was read but >+reconfigured client verification level after the HTTP request is read but > before the HTTP response is sent.</p> > <p> > The following levels are available for <em>level</em>:</p> > <ul> >-<li><strong>none</strong>: >- no client Certificate is required at all</li> >-<li><strong>optional</strong>: >- the client <em>may</em> present a valid Certificate</li> >-<li><strong>require</strong>: >- the client <em>has to</em> present a valid Certificate</li> >-<li><strong>optional_no_ca</strong>: >- the client may present a valid Certificate<br /> >- but it need not to be (successfully) verifiable.</li> >+<li><code>none</code> >+ <p>No client Certificate is requested.</p></li> >+<li><code>optional_no_verify</code> >+ <p>The client is asked to present a Certificate signed by one of the >+ acceptable CA Certificates, but will be accepted even if no Certificate is >+ provided, if the provided Certificate is not signed by one of the trusted >+ CA Certificates, or if the provided Certificate has been revoked or is >+ otherwise invalid.</p></li> >+<li><code>optional_no_ca</code> >+ <p>The client is asked to present a Certificate signed by one of the >+ acceptable CA Certificates, and will be accepted even if no Certificate is >+ provided or if the provided Certificate is not signed by one of the >+ trusted CA Certificates, but will be disconnected if the provided >+ Certificate has been revoked or is otherwise invalid.</p></li> >+<li><code>optional</code> >+ <p>The client is asked to present a Certificate signed by one of the >+ acceptable CA Certificates, and will be accepted even if no Certificate is >+ provided, but will be disconnected if the provided Certificate is not >+ signed by one of the trusted CA Certificates, has been revoked, or is >+ otherwise invalid.</p></li> >+<li><code>require</code> >+ <p>The client is asked to present a Certificate signed by one of the >+ acceptable CA Certificates, and will be disconnected if no Certificate is >+ provided, if the provided Certificate is not signed by on of the trusted CA >+ Certificates, or if the provided Certificate has been revoked or is >+ otherwise invalid.</p></li> > </ul> >-<p>In practice only levels <strong>none</strong> and >-<strong>require</strong> are really interesting, because level >-<strong>optional</strong> doesn't work with all browsers and level >-<strong>optional_no_ca</strong> is actually against the idea of >-authentication (but can be used to establish SSL test pages, etc.)</p> >+<p>In practice, most users will want either <strong>none</strong> or >+<strong>require</strong>, as the other levels allow users to bypass the >+authentication mechanism. However, the other levels may be useful for testing, >+or if your web application does it's own Certificate verification.</p> >+<p>See the <directive module="mod_ssl">SSLCADNRequestFile</directive> and >+<directive module="mod_ssl">SSLCADNRequestPath</directive> directives to >+configure the list of acceptable CA Certificates, and see the >+<directive module="mod_ssl">SSLCACertificateFile</directive> and >+<directive module="mod_ssl">SSLCACertificatePath</directive> directives to >+configure the list of trusted CA Certificates.</p> >+<p>Note that if SSLv2 is used with one of the <strong>optional</strong> levels >+and no Certificate signed by one of the acceptable CA Certificates is available, >+the browser may give up and disconnect rather than continuing without providing >+a Certificate. If SSLv3 or TLS are used, the browser should always either >+provide a Certificate or attempt to continue without a Certificate.</p> > <example><title>Example</title> > SSLVerifyClient require > </example> >@@ -1418,41 +1452,38 @@ > <syntax>SSLProxyVerify <em>level</em></syntax> > <default>SSLProxyVerify none</default> > <contextlist><context>server config</context> >-<context>virtual host</context> >-<context>directory</context> >-<context>.htaccess</context></contextlist> >-<override>AuthConfig</override> >+<context>virtual host</context></contextlist> > > <usage> >- > <p>When a proxy is configured to forward requests to a remote SSL >-server, this directive can be used to configure certificate >-verification of the remote server. Notice that this directive can be >-used both in per-server and per-directory context. In per-server >-context it applies to the remote server authentication process used in >-the standard SSL handshake when a connection is established by the >-proxy. In per-directory context it forces a SSL renegotation with the >-reconfigured remote server verification level after the HTTP request >-was read but before the HTTP response is sent.</p> >- >+server, this directive can be used to configure verification of the >+remote server's SSL Certificate.</p> > <p> > The following levels are available for <em>level</em>:</p> > <ul> >-<li><strong>none</strong>: >- no remote server Certificate is required at all</li> >-<li><strong>optional</strong>: >- the remote server <em>may</em> present a valid Certificate</li> >-<li><strong>require</strong>: >- the remote server <em>has to</em> present a valid Certificate</li> >-<li><strong>optional_no_ca</strong>: >- the remote server may present a valid Certificate<br /> >- but it need not to be (successfully) verifiable.</li> >+<li><code>none</code> >+ <p>No remote server Certificate verification will be performed.</p></li> >+<li><code>optional_no_verify</code> >+ <p>If the remote server provides a Certificate, it will be verified, but >+ the result will be ignored.</p></li> >+<li><code>optional_no_ca</code> >+ <p>If the remote server provides a Certificate, it will be verified. The >+ connection will be accepted even if the Certificate is not signed by one of >+ the CAs listed in >+ <directive module="mod_ssl">SSLProxyCACertificateFile</directive> or >+ <directive module="mod_ssl">SSLProxyCACertificatePath</directive>, but will >+ be rejected if verification fails for any other reason.</p></li> >+<li><code>optional</code> >+ <p>If the remote server provides a Certificate, it will be verified, and the >+ connection will be rejected if verification fails.</p></li> >+<li><code>require</code> >+ <p>The connection will be rejected unless the remote server provides a >+ Certificate and that Certificate is successfully verified.</p></li> > </ul> >-<p>In practice only levels <strong>none</strong> and >-<strong>require</strong> are really interesting, because level >-<strong>optional</strong> doesn't work with all servers and level >-<strong>optional_no_ca</strong> is actually against the idea of >-authentication (but can be used to establish SSL test pages, etc.)</p> >+<p>In practice, most users will want either <strong>none</strong> or >+<strong>require</strong>, as the other levels allow a remote server to bypass >+the authentication mechanism. However, the other levels may be useful for >+testing.</p> > <example><title>Example</title> > SSLProxyVerify require > </example> >@@ -1466,20 +1497,12 @@ > <syntax>SSLProxyVerifyDepth <em>number</em></syntax> > <default>SSLProxyVerifyDepth 1</default> > <contextlist><context>server config</context> >-<context>virtual host</context> >-<context>directory</context> >-<context>.htaccess</context></contextlist> >-<override>AuthConfig</override> >+<context>virtual host</context></contextlist> > > <usage> > <p> > This directive sets how deeply mod_ssl should verify before deciding that the >-remote server does not have a valid certificate. Notice that this directive can be >-used both in per-server and per-directory context. In per-server context it >-applies to the client authentication process used in the standard SSL >-handshake when a connection is established. In per-directory context it forces >-a SSL renegotation with the reconfigured remote server verification depth after the >-HTTP request was read but before the HTTP response is sent.</p> >+remote server does not have a valid certificate.</p> > <p> > The depth actually is the maximum number of intermediate certificate issuers, > i.e. the number of CA certificates which are max allowed to be followed while >Index: modules/ssl/ssl_private.h >=================================================================== >--- modules/ssl/ssl_private.h (revision 952305) >+++ modules/ssl/ssl_private.h (working copy) >@@ -221,7 +221,8 @@ > SSL_CVERIFY_NONE = 0, > SSL_CVERIFY_OPTIONAL = 1, > SSL_CVERIFY_REQUIRE = 2, >- SSL_CVERIFY_OPTIONAL_NO_CA = 3 >+ SSL_CVERIFY_OPTIONAL_NO_CA = 3, >+ SSL_CVERIFY_OPTIONAL_NO_VERIFY = 4 > } ssl_verify_t; > > #define SSL_VERIFY_PEER_STRICT \ >Index: modules/ssl/ssl_engine_init.c >=================================================================== >--- modules/ssl/ssl_engine_init.c (revision 952305) >+++ modules/ssl/ssl_engine_init.c (working copy) >@@ -610,7 +610,8 @@ > } > > if ((mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL) || >- (mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA)) >+ (mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) || >+ (mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY)) > { > verify |= SSL_VERIFY_PEER; > } >Index: modules/ssl/ssl_engine_config.c >=================================================================== >--- modules/ssl/ssl_engine_config.c (revision 952305) >+++ modules/ssl/ssl_engine_config.c (working copy) >@@ -914,6 +914,9 @@ > else if (strcEQ(arg, "optional_no_ca")) { > *id = SSL_CVERIFY_OPTIONAL_NO_CA; > } >+ else if (strcEQ(arg, "optional_no_verify")) { >+ *id = SSL_CVERIFY_OPTIONAL_NO_VERIFY; >+ } > else { > return apr_pstrcat(parms->temp_pool, parms->cmd->name, > ": Invalid argument '", arg, "'", >Index: modules/ssl/ssl_engine_io.c >=================================================================== >--- modules/ssl/ssl_engine_io.c (revision 952305) >+++ modules/ssl/ssl_engine_io.c (working copy) >@@ -1202,8 +1202,13 @@ > if ((verify_result != X509_V_OK) || > sslconn->verify_error) > { >- if (ssl_verify_error_is_optional(verify_result) && >- (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA)) >+ const char *error = sslconn->verify_error ? >+ sslconn->verify_error : >+ X509_verify_cert_error_string(verify_result); >+ >+ if ((ssl_verify_error_is_optional(verify_result) && >+ sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) || >+ sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY) > { > /* leaving this log message as an error for the moment, > * according to the mod_ssl docs: >@@ -1214,17 +1219,14 @@ > * in 1.x > */ > ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, >- "SSL client authentication failed, " >- "accepting certificate based on " >- "\"SSLVerifyClient optional_no_ca\" " >- "configuration"); >+ "SSL client authentication failed, accepting " >+ "certificate based on \"SSLVerifyClient " >+ "optional_no_ca\" or \"SSLVerifyClient " >+ "optional_no_verify\" configuration: %s", >+ error ? error : "unknown"); > ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, server); > } > else { >- const char *error = sslconn->verify_error ? >- sslconn->verify_error : >- X509_verify_cert_error_string(verify_result); >- > ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, > "SSL client authentication failed: %s", > error ? error : "unknown"); >Index: modules/ssl/ssl_engine_vars.c >=================================================================== >--- modules/ssl/ssl_engine_vars.c (revision 952305) >+++ modules/ssl/ssl_engine_vars.c (working copy) >@@ -617,9 +617,12 @@ > else if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs != NULL) > /* client verification done successful */ > result = "SUCCESS"; >- else if (vrc == X509_V_OK && vinfo != NULL && strEQ(vinfo, "GENEROUS")) >+ else if (vinfo != NULL && strEQ(vinfo, "GENEROUS")) > /* client verification done in generous way */ >- result = "GENEROUS"; >+ if (verr) >+ result = apr_psprintf(p, "GENEROUS:%s", verr); >+ else >+ result = "GENEROUS"; > else > /* client verification failed */ > result = apr_psprintf(p, "FAILED:%s", verr); >Index: modules/ssl/ssl_engine_kernel.c >=================================================================== >--- modules/ssl/ssl_engine_kernel.c (revision 952305) >+++ modules/ssl/ssl_engine_kernel.c (working copy) >@@ -519,7 +519,7 @@ > * We force a renegotiation if the reconfigured/new verify type is > * stronger than the currently active verify type. > * >- * The order is: none << optional_no_ca << optional << require >+ * The order is: none << optional_no_verify << optional_no_ca << optional << require > * > * Additionally the following optimization is possible here: When the > * currently active verify type is "none" but a client certificate is >@@ -541,8 +541,10 @@ > > if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) || > (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) || >+ (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_VERIFY) || > (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) || >- (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA)) >+ (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) || >+ (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY)) > { > verify |= SSL_VERIFY_PEER; > } >@@ -1377,14 +1379,17 @@ > } > > if (ssl_verify_error_is_optional(errnum) && >- (verify == SSL_CVERIFY_OPTIONAL_NO_CA)) >+ ((verify == SSL_CVERIFY_OPTIONAL_NO_CA) || >+ (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY))) > { > ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn, >- "Certificate Verification: Verifiable Issuer is " >- "configured as optional, therefore we're accepting " >- "the certificate"); >+ "Certificate Verification: Error (%d) but verifiable " >+ "Issuer is configured as optional, therefore we're " >+ "accepting the certificate: %s", errnum, >+ X509_verify_cert_error_string(errnum)); > > sslconn->verify_info = "GENEROUS"; >+ sslconn->verify_error = X509_verify_cert_error_string(errnum); > ok = TRUE; > } > >@@ -1424,16 +1429,31 @@ > * If we already know it's not ok, log the real reason > */ > if (!ok) { >- ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn, >- "Certificate Verification: Error (%d): %s", >- errnum, X509_verify_cert_error_string(errnum)); >+ if (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY) { >+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn, >+ "Certificate Verification: Error (%d) but " >+ "verification is configured as optional, therefore " >+ "we're accepting the certificate: %s", errnum, >+ X509_verify_cert_error_string(errnum)); > >- if (sslconn->client_cert) { >- X509_free(sslconn->client_cert); >- sslconn->client_cert = NULL; >+ sslconn->verify_info = "GENEROUS"; >+ if (!sslconn->verify_error) { >+ sslconn->verify_error = X509_verify_cert_error_string(errnum); >+ } >+ ok = TRUE; > } >- sslconn->client_dn = NULL; >- sslconn->verify_error = X509_verify_cert_error_string(errnum); >+ else { >+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn, >+ "Certificate Verification: Error (%d): %s", >+ errnum, X509_verify_cert_error_string(errnum)); >+ >+ if (sslconn->client_cert) { >+ X509_free(sslconn->client_cert); >+ sslconn->client_cert = NULL; >+ } >+ sslconn->client_dn = NULL; >+ sslconn->verify_error = X509_verify_cert_error_string(errnum); >+ } > } > > /* >@@ -1447,16 +1467,32 @@ > } > > if (errdepth > depth) { >- ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn, >- "Certificate Verification: Certificate Chain too long " >- "(chain has %d certificates, but maximum allowed are " >- "only %d)", >- errdepth, depth); >+ if (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY) { >+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn, >+ "Certificate Verification: Certificate Chain too long " >+ "(chain has %d certificates, but maximum allowed are " >+ "only %d) but verification is configured as optional, " >+ "therefore we're accepting the certificate", >+ errdepth, depth); > >- errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG; >- sslconn->verify_error = X509_verify_cert_error_string(errnum); >+ sslconn->verify_info = "GENEROUS"; >+ if (!sslconn->verify_error) { >+ errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG; >+ sslconn->verify_error = X509_verify_cert_error_string(errnum); >+ } >+ } >+ else { >+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn, >+ "Certificate Verification: Certificate Chain too long " >+ "(chain has %d certificates, but maximum allowed are " >+ "only %d)", >+ errdepth, depth); > >- ok = FALSE; >+ errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG; >+ sslconn->verify_error = X509_verify_cert_error_string(errnum); >+ >+ ok = FALSE; >+ } > } > > /* >Index: modules/ssl/mod_ssl.c >=================================================================== >--- modules/ssl/mod_ssl.c (revision 952305) >+++ modules/ssl/mod_ssl.c (working copy) >@@ -114,7 +114,7 @@ > "('/path/to/file' - PEM encoded)") > SSL_CMD_ALL(VerifyClient, TAKE1, > "SSL Client verify type " >- "('none', 'optional', 'require', 'optional_no_ca')") >+ "('none', 'optional_no_verify', 'optional_no_ca', 'optional', 'require')") > SSL_CMD_ALL(VerifyDepth, TAKE1, > "SSL Client verify depth " > "('N' - number of intermediate certificates)") >@@ -147,7 +147,7 @@ > "('XXX:...:XXX' - see manual)") > SSL_CMD_SRV(ProxyVerify, TAKE1, > "SSL Proxy: whether to verify the remote certificate " >- "('on' or 'off')") >+ "('none', 'optional_no_verify', 'optional_no_ca', 'optional', 'require')") > SSL_CMD_SRV(ProxyVerifyDepth, TAKE1, > "SSL Proxy: maximum certificate verification depth " > "('N' - number of intermediate certificates)")
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 45922
:
25297
|
25298
|
25303
|
25304
|
25313
|
25314
| 25539