Bug 63000

Summary: SSLCA* based directives never honoured for the client certificate auth for providing the CA names
Product: Apache httpd-2 Reporter: sbkrishna_segu
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: regression    
Priority: P2    
Version: 2.4.37   
Target Milestone: ---   
Hardware: PC   
OS: All   

Description sbkrishna_segu 2018-12-10 18:13:29 UTC
I have configured httpd latest version 2.4.37 on my centos and osx box.

Have configured my vhost file to support mutual auth based authentication as follows:

<VirtualHost *:443>
ServerName test.mutual.auth.dev
ErrorLog /var/log/apache2/ssl_mutualauth_error_log
TransferLog /var/log/apache2/ssl_mutualauth_access_log
LogLevel debug

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!aNULL:!EXP:!LOW:!MD5:!SSLV2:!NULL
SSLCertificateFile /mutualauth/data/portalCA/asf-cert.pem
SSLCertificateKeyFile /mutualauth/data/portalCA/server-key.pem
SSLCertificateChainFile /mutualauth/data/portalCA/ca-cert.pem

SSLVerifyClient require
SSLCACertificatePath    /mutualauth/data/certs/
SSLVerifyDepth          5
SSLHonorCipherOrder     On

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog /var/log/apache2/ssl_asf_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

ProxyPreserveHost on
</VirtualHost>

The above configuration when configured and tried to issue "openssl s_client -connect test.mutual.auth.dev:443" i get "No client certificate CA names sent".

But the same above configuration when tried with httpd 2.4.20 gives the appropriate CA names configured.

The behaviour is the same when using SSLCACertificateFile, SSLCADNRequestPath and SSLCADNRequestFile.