Bug 61574 - mod_ssl RFC: change uniqueness logic for SSLCADNRequest*
Summary: mod_ssl RFC: change uniqueness logic for SSLCADNRequest*
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.5-HEAD
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2017-09-29 08:55 UTC by Joe Orton
Modified: 2017-09-29 14:05 UTC (History)
0 users

PoC using non-canonical name comparison in SSLCARequestDN* (7.57 KB, patch)
2017-09-29 08:55 UTC, Joe Orton
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Joe Orton 2017-09-29 08:55:36 UTC
Created attachment 35387 [details]
PoC using non-canonical name comparison in SSLCARequestDN*

We've hit an unusual case with a public CA which has issued two intermediate certificates used for issuing client certificates, where the subject names of the intermediate CAs only differ in the case of one character of the Subject DN (i.e. one has lower case, the other upper case).

OpenSSL treats these names as identical - it canonicalizes names internally (lower case, removing whitespace), and X509_NAME_cmp() compares as equal.  Other TLS implementations do not treat them as equal.

While the name comparison rules in https://tools.ietf.org/html/rfc3280#section- are clear, the rules in https://tools.ietf.org/html/rfc5280#section-7.1 are more ambiguous, with language like "Conforming implementations MUST support name comparisons using caseIgnoreMatch" not explicit.  Anyway, the CA apparently thinks this practice is acceptable.

One way to work around this is in mod_ssl is to change the behaviour of SSLCARequestDN* to avoid OpenSSL's standard (canonical) name comparison and rely on a bitwise DN comparison.

On one hand, few people need to use that directive, and the behaviour change should make no difference to 99.999% of them, so there should be little downside.  On the other hand, this forces unnecessary complexity into mod_ssl for a borderline standards violation.
Comment 1 Joe Orton 2017-09-29 14:05:09 UTC
I should have been more explicit here, the problem this creates is that mod_ssl can only send one of the two "duplicate" CA names in a certificate request, when both are required.