Attachment #28688 for bug #53156

View | Details | Raw Unified | Return to bug 53156
Collapse All | Expand All

Lines 1087-1092 Link Here

(-)docs/manual/mod/mod_ssl.xml (+31 lines)
1087	when checking is enabled, CRLs <em>must</em> be present for the validation	1087	when checking is enabled, CRLs <em>must</em> be present for the validation
1088	to succeed - otherwise it will fail with an	1088	to succeed - otherwise it will fail with an
1089	<code>"unable to get certificate CRL"</code> error.	1089	<code>"unable to get certificate CRL"</code> error.
		1090	The pre-2.3.15 behavior can be restored by setting the
		1091	<directive module="mod_ssl">SSLCARevocationAllowMissing</directive> directive
		1092	to "on".
1090	</p>	1093	</p>
1091	</note>	1094	</note>
1092	<example><title>Example</title>	1095	<example><title>Example</title>
Lines 1098-1103 Link Here
1098	</directivesynopsis>	1101	</directivesynopsis>
1099		1102
1100	<directivesynopsis>	1103	<directivesynopsis>
		1104	<name>SSLCARevocationAllowMissing</name>
		1105	<description>Allow connections when there is no CRL present for a CA
		1106	</description>
		1107	<syntax>SSLCARevocationAllowMissing off\|on</syntax>
		1108	<default>SSLCARevocationAllowMissing off</default>
		1109	<contextlist><context>server config</context>
		1110	<context>virtual host</context></contextlist>
		1111
		1112	<usage>
		1113	<p>
		1114	By default the CRL checking in mod_ssl will reject connections if a client
		1115	certificate is signed by a CA that does not have a CRL available in any of the
		1116	locations configured with
		1117	<directive module="mod_ssl">SSLCARevocationFile</directive>
		1118	or <directive module="mod_ssl">SSLCARevocationPath</directive>.
		1119	Setting this directive to "on" will change this behavior, and make mod_ssl
		1120	assume that a missing CRL means that no certificates signed by that CA are
		1121	revoked.
		1122	</p>
		1123	<example><title>Example</title>
		1124	<highlight language="config">
		1125	SSLCARevocationAllowMissing on
		1126	</highlight>
		1127	</example>
		1128	</usage>
		1129	</directivesynopsis>
		1130
		1131	<directivesynopsis>
1101	<name>SSLVerifyClient</name>	1132	<name>SSLVerifyClient</name>
1102	<description>Type of Client Certificate verification</description>	1133	<description>Type of Client Certificate verification</description>
1103	<syntax>SSLVerifyClient <em>level</em></syntax>	1134	<syntax>SSLVerifyClient <em>level</em></syntax>

Lines 628-633 Link Here

(-)modules/ssl/ssl_private.h (+2 lines)
628	const char *crl_path;	628	const char *crl_path;
629	const char *crl_file;	629	const char *crl_file;
630	ssl_crlcheck_t crl_check_mode;	630	ssl_crlcheck_t crl_check_mode;
		631	BOOL crl_allow_missing;
631		632
632	#ifdef HAVE_OCSP_STAPLING	633	#ifdef HAVE_OCSP_STAPLING
633	/** OCSP stapling options */	634	/** OCSP stapling options */
Lines 726-731 Link Here
726	const char ssl_cmd_SSLCARevocationPath(cmd_parms , void , const char );	727	const char ssl_cmd_SSLCARevocationPath(cmd_parms , void , const char );
727	const char ssl_cmd_SSLCARevocationFile(cmd_parms , void , const char );	728	const char ssl_cmd_SSLCARevocationFile(cmd_parms , void , const char );
728	const char ssl_cmd_SSLCARevocationCheck(cmd_parms , void , const char );	729	const char ssl_cmd_SSLCARevocationCheck(cmd_parms , void , const char );
		730	const char ssl_cmd_SSLCARevocationAllowMissing(cmd_parms , void , const char );
729	const char ssl_cmd_SSLHonorCipherOrder(cmd_parms cmd, void *dcfg, int flag);	731	const char ssl_cmd_SSLHonorCipherOrder(cmd_parms cmd, void *dcfg, int flag);
730	const char ssl_cmd_SSLVerifyClient(cmd_parms , void , const char );	732	const char ssl_cmd_SSLVerifyClient(cmd_parms , void , const char );
731	const char ssl_cmd_SSLVerifyDepth(cmd_parms , void , const char );	733	const char ssl_cmd_SSLVerifyDepth(cmd_parms , void , const char );

Lines 119-124 Link Here

(-)modules/ssl/mod_ssl.c (+3 lines)
119	"('/path/to/file' - PEM encoded)")	119	"('/path/to/file' - PEM encoded)")
120	SSL_CMD_SRV(CARevocationCheck, TAKE1,	120	SSL_CMD_SRV(CARevocationCheck, TAKE1,
121	"SSL CA Certificate Revocation List (CRL) checking mode")	121	"SSL CA Certificate Revocation List (CRL) checking mode")
		122	SSL_CMD_SRV(CARevocationAllowMissing, TAKE1,
		123	"SSL: whether to accept certificates without a corresponding CRL"
		124	"('yes', 'no')")
122	SSL_CMD_ALL(VerifyClient, TAKE1,	125	SSL_CMD_ALL(VerifyClient, TAKE1,
123	"SSL Client verify type "	126	"SSL Client verify type "
124	"('none', 'optional', 'require', 'optional_no_ca')")	127	"('none', 'optional', 'require', 'optional_no_ca')")




    mctx->crl_path            = NULL;
    mctx->crl_file            = NULL;
    mctx->crl_check_mode      = SSL_CRLCHECK_UNSET;
    mctx->crl_allow_missing   = FALSE;

    mctx->auth.ca_cert_path   = NULL;
    mctx->auth.ca_cert_file   = NULL;

    cfgMerge(crl_path, NULL);
    cfgMerge(crl_file, NULL);
    cfgMerge(crl_check_mode, SSL_CRLCHECK_UNSET);
    cfgMergeBool(crl_allow_missing);

    cfgMergeString(auth.ca_cert_path);
    cfgMergeString(auth.ca_cert_file);

    return ssl_cmd_crlcheck_parse(cmd, arg, &sc->server->crl_check_mode);
}

const char *ssl_cmd_SSLCARevocationAllowMissing(cmd_parms *cmd,
                                                void *dcfg,
                                                const char *arg)
{
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
    
    if (!strcasecmp(arg, "On")) {
        sc->server->crl_allow_missing = TRUE;
        return NULL;
    }
    else if (!strcasecmp(arg, "Off")) {
        sc->server->crl_allow_missing = FALSE;
        return NULL;
    }

    return "Argument must be On or Off";
}

static const char *ssl_cmd_verify_parse(cmd_parms *parms,
                                        const char *arg,
                                        ssl_verify_t *id)




         */
        return TRUE;
    }
    
    /*
     * Ignore a missing CRL if SSLCARevocationAllowMissing is set to "On".
     */
    if (mctx->crl_allow_missing == TRUE &&
        errnum == X509_V_ERR_UNABLE_TO_GET_CRL)
    {
        X509_STORE_CTX_set_error(ctx, X509_V_OK);
        return TRUE;
    }

    if (ssl_verify_error_is_optional(errnum) &&
        (verify == SSL_CVERIFY_OPTIONAL_NO_CA))

Return to bug 53156

Lines 1434-1439 Link Here

(-)modules/ssl/ssl_engine_kernel.c (+10 lines)
1434	*/	1434	*/
1435	return TRUE;	1435	return TRUE;
1436	}	1436	}
		1437
		1438	/*
		1439	* Ignore a missing CRL if SSLCARevocationAllowMissing is set to "On".
		1440	*/
		1441	if (mctx->crl_allow_missing == TRUE &&
		1442	errnum == X509_V_ERR_UNABLE_TO_GET_CRL)
		1443	{
		1444	X509_STORE_CTX_set_error(ctx, X509_V_OK);
		1445	return TRUE;
		1446	}
1437		1447
1438	if (ssl_verify_error_is_optional(errnum) &&	1448	if (ssl_verify_error_is_optional(errnum) &&
1439	(verify == SSL_CVERIFY_OPTIONAL_NO_CA))	1449	(verify == SSL_CVERIFY_OPTIONAL_NO_CA))

Lines 142-153 Link Here

(-)docs/conf/extra/httpd-ssl.conf.in (+3 lines)
142	# of them (file must be PEM encoded).	142	# of them (file must be PEM encoded).
143	# The CRL checking mode needs to be configured explicitly	143	# The CRL checking mode needs to be configured explicitly
144	# through SSLCARevocationCheck (defaults to "none" otherwise).	144	# through SSLCARevocationCheck (defaults to "none" otherwise).
		145	# Client certificates issued by CAs that do not have a CRL are
		146	# rejected unless SSLCARevocationAllowMissing is set to "on".
145	# Note: Inside SSLCARevocationPath you need hash symlinks	147	# Note: Inside SSLCARevocationPath you need hash symlinks
146	# to point to the certificate files. Use the provided	148	# to point to the certificate files. Use the provided
147	# Makefile to update the hash symlinks after changes.	149	# Makefile to update the hash symlinks after changes.
148	#SSLCARevocationPath "@exp_sysconfdir@/ssl.crl"	150	#SSLCARevocationPath "@exp_sysconfdir@/ssl.crl"
149	#SSLCARevocationFile "@exp_sysconfdir@/ssl.crl/ca-bundle.crl"	151	#SSLCARevocationFile "@exp_sysconfdir@/ssl.crl/ca-bundle.crl"
150	#SSLCARevocationCheck chain	152	#SSLCARevocationCheck chain
		153	#SSLCARevocationAllowMissing on
151		154
152	# Client Authentication (Type):	155	# Client Authentication (Type):
153	# Client certificate verification type and depth. Types are	156	# Client certificate verification type and depth. Types are

Lines 124-129 Link Here

(-)modules/ssl/ssl_engine_config.c (+20 lines)
124	mctx->crl_path = NULL;	124	mctx->crl_path = NULL;
125	mctx->crl_file = NULL;	125	mctx->crl_file = NULL;
126	mctx->crl_check_mode = SSL_CRLCHECK_UNSET;	126	mctx->crl_check_mode = SSL_CRLCHECK_UNSET;
		127	mctx->crl_allow_missing = FALSE;
127		128
128	mctx->auth.ca_cert_path = NULL;	129	mctx->auth.ca_cert_path = NULL;
129	mctx->auth.ca_cert_file = NULL;	130	mctx->auth.ca_cert_file = NULL;
Lines 247-252 Link Here
247	cfgMerge(crl_path, NULL);	248	cfgMerge(crl_path, NULL);
248	cfgMerge(crl_file, NULL);	249	cfgMerge(crl_file, NULL);
249	cfgMerge(crl_check_mode, SSL_CRLCHECK_UNSET);	250	cfgMerge(crl_check_mode, SSL_CRLCHECK_UNSET);
		251	cfgMergeBool(crl_allow_missing);
250		252
251	cfgMergeString(auth.ca_cert_path);	253	cfgMergeString(auth.ca_cert_path);
252	cfgMergeString(auth.ca_cert_file);	254	cfgMergeString(auth.ca_cert_file);
Lines 964-969 Link Here
964	return ssl_cmd_crlcheck_parse(cmd, arg, &sc->server->crl_check_mode);	966	return ssl_cmd_crlcheck_parse(cmd, arg, &sc->server->crl_check_mode);
965	}	967	}
966		968
		969	const char ssl_cmd_SSLCARevocationAllowMissing(cmd_parms cmd,
		970	void *dcfg,
		971	const char *arg)
		972	{
		973	SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
		974
		975	if (!strcasecmp(arg, "On")) {
		976	sc->server->crl_allow_missing = TRUE;
		977	return NULL;
		978	}
		979	else if (!strcasecmp(arg, "Off")) {
		980	sc->server->crl_allow_missing = FALSE;
		981	return NULL;
		982	}
		983
		984	return "Argument must be On or Off";
		985	}
		986
967	static const char ssl_cmd_verify_parse(cmd_parms parms,	987	static const char ssl_cmd_verify_parse(cmd_parms parms,
968	const char *arg,	988	const char *arg,
969	ssl_verify_t *id)	989	ssl_verify_t *id)