63096 – TLS 1.3: Client certificates don't work if they are optional on virtual host but required on location

Bug 63096 - TLS 1.3: Client certificates don't work if they are optional on virtual host but required on location

Summary: TLS 1.3: Client certificates don't work if they are optional on virtual host ...

Status:	NEW

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_ssl (show other bugs)
Version:	2.5-HEAD
Hardware:	PC Linux

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:	PatchAvailable

Depends on:
Blocks:

Reported:	2019-01-21 16:42 UTC by Michael Kaufmann
Modified:	2019-08-01 07:46 UTC (History)
CC List:	2 users (show)

Attachments
Bugfix (522 bytes, patch) 2019-01-21 16:42 UTC, Michael Kaufmann	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Kaufmann 2019-01-21 16:42:58 UTC

Created attachment 36384 [details]
Bugfix

Apache does not perform a post-handshake authentication (request a client certificate) if the virtual host has the setting "SSLVerifyClient optional" and the location has the setting "SSLVerifyClient require".

This happens if the browser does not provide a client certificate at SSL handshake time. Apache should ask for a certificate when the location is accessed, but instead this error is logged:

SSL Library Error: error:1426811B:SSL routines:SSL_verify_client_post_handshake:invalid config

The bugfix is to remove the flag SSL_VERIFY_CLIENT_ONCE (see patch).