Bug 62769 - no dedicated handling of frontend and backend TLS connections anymore in the context of clientside client certificate authentication.
Summary: no dedicated handling of frontend and backend TLS connections anymore in the ...
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.34
Hardware: Other Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: FixedInTrunk, PatchAvailable
Depends on:
Blocks:
 
Reported: 2018-09-28 12:06 UTC by Gunnar Lukas
Modified: 2018-11-01 15:43 UTC (History)
0 users



Attachments
Use parameters from Proxy config (1.45 KB, patch)
2018-10-01 07:34 UTC, Ruediger Pluem
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Gunnar Lukas 2018-09-28 12:06:12 UTC
Apache in reverse proxy mode with clientside certificate authentication configured and TLS connection to the backend via Proxypass (mod_proxy)

After an update from 

Apache/2.4.29 (Unix) OpenSSL/1.1.0g to 
Apache/2.4.34 (Unix) OpenSSL/1.1.0i

with no configuration change the Apache error log did throw many erros:

[Thu Sep 27 18:47:26 2018] [error] [pid 32166] ssl_engine_kernel.c(1688): [client 10.227.8.133:11443] AH02039: Certificate Verification: Error (19): self signed certificate in certificate chain
[Thu Sep 27 18:47:26 2018] [error] [pid 32166] ssl_engine_kernel.c(1714): [client 10.227.8.133:11443] AH02040: Certificate Verification: Certificate Chain too long (chain has 2 certificates, but maximum allowed are only 1)

Figured out that the complains were caused by some new behaviour in checking the backend server certificate. I could omit the AH02040 by setting SSLVerifyDepth from 1 to 2. And here my confusion starts.

Why does it affect the backend side TLS connection if I configure parameters for the frontside TLS connection? We have only one level of CA hierarchy for client certificates and I dont want to set 2 here.

I was not able to overcome the AH02039 error. The certificate chain of the backend servers certificate is not interesting on reverse proxy level and was not needed the last decades of years. Something changed which messed this up. Or is it wanted behaviour introduced by a new feature? I cannot find anything in the release notes of Apache or Openssl.


SSLCertificateFile      server.crt
SSLCertificateKeyFile   server.key
SSLCACertificateFile    client-ca.crt
SSLCertificateChainFile Server_CA.crt
SSLOptions              +StdEnvVars +ExportCertData

SSLProxyCheckPeerName off
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off

<VirtualHost *:443>
   ServerName test.com
   SSLEngine      on
   SSLProxyEngine on

   <Location /portal>
      ProxyPass         https://1.2.3.4/portal 
      ProxyPassReverse  https://1.2.3.4/portal
      SSLRequireSSL
      SSLVerifyClient         require
      SSLVerifyDepth          2
   </Location>
</VirtualHost>
Comment 1 Ruediger Pluem 2018-10-01 07:34:47 UTC
Created attachment 36178 [details]
Use parameters from Proxy config

Does the attached patch against 2.4.x fix your problem?
Comment 2 Gunnar Lukas 2018-10-01 09:41:36 UTC
Could check in dev/int against 2.4.34, error messages are gone there.

unpatched:
[Mon Oct 01 11:35:58.385491 2018] [mpm_prefork:notice] [pid 29524] AH00163: Apache/2.4.34 (Unix) OpenSSL/1.1.0i configured -- resuming normal operations
[Mon Oct 01 11:35:58.385518 2018] [core:notice] [pid 29524] AH00094: Command line: '/bin/httpd.2.4.34 -D SSL -f /conf/httpd.conf'
[Mon Oct 01 11:35:58.686733 2018] [ssl:error] [pid 29529] [remote 10.22.9.33:32000] AH02039: Certificate Verification: Error (19): self signed certificate in certificate chain
[Mon Oct 01 11:35:58.686745 2018] [ssl:error] [pid 29529] [remote 10.22.9.33:32000] AH02040: Certificate Verification: Certificate Chain too long (chain has 2 certificates, but maximum allowed are only 1)


patched:
[Mon Oct 01 11:37:28.339636 2018] [mpm_prefork:notice] [pid 29880] AH00163: Apache/2.4.34 (Unix) OpenSSL/1.1.0i configured -- resuming normal operations
[Mon Oct 01 11:37:28.339667 2018] [core:notice] [pid 29880] AH00094: Command line: '/bin/httpd.2.4.34.p1 -D SSL -f /conf/httpd.conf'
Comment 3 Ruediger Pluem 2018-10-01 18:22:55 UTC
Committed to trunk in r1842540.
Comment 4 Christophe JAILLET 2018-11-01 15:43:21 UTC
This has been backported in 2.4.x in r1843370.

This is part of 2.4.36