Bug 63000 - SSLCA* based directives never honoured for the client certificate auth for providing the CA names
Summary: SSLCA* based directives never honoured for the client certificate auth for pr...
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.37
Hardware: PC All
: P2 regression (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-12-10 18:13 UTC by sbkrishna_segu
Modified: 2018-12-10 18:41 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description sbkrishna_segu 2018-12-10 18:13:29 UTC
I have configured httpd latest version 2.4.37 on my centos and osx box.

Have configured my vhost file to support mutual auth based authentication as follows:

<VirtualHost *:443>
ServerName test.mutual.auth.dev
ErrorLog /var/log/apache2/ssl_mutualauth_error_log
TransferLog /var/log/apache2/ssl_mutualauth_access_log
LogLevel debug

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!aNULL:!EXP:!LOW:!MD5:!SSLV2:!NULL
SSLCertificateFile /mutualauth/data/portalCA/asf-cert.pem
SSLCertificateKeyFile /mutualauth/data/portalCA/server-key.pem
SSLCertificateChainFile /mutualauth/data/portalCA/ca-cert.pem

SSLVerifyClient require
SSLCACertificatePath    /mutualauth/data/certs/
SSLVerifyDepth          5
SSLHonorCipherOrder     On

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog /var/log/apache2/ssl_asf_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

ProxyPreserveHost on
</VirtualHost>

The above configuration when configured and tried to issue "openssl s_client -connect test.mutual.auth.dev:443" i get "No client certificate CA names sent".

But the same above configuration when tried with httpd 2.4.20 gives the appropriate CA names configured.

The behaviour is the same when using SSLCACertificateFile, SSLCADNRequestPath and SSLCADNRequestFile.