Bug 63096 - TLS 1.3: Client certificates don't work if they are optional on virtual host but required on location
Summary: TLS 1.3: Client certificates don't work if they are optional on virtual host ...
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.5-HEAD
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: PatchAvailable
Depends on:
Blocks:
 
Reported: 2019-01-21 16:42 UTC by Michael Kaufmann
Modified: 2019-08-01 07:46 UTC (History)
2 users (show)



Attachments
Bugfix (522 bytes, patch)
2019-01-21 16:42 UTC, Michael Kaufmann
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Kaufmann 2019-01-21 16:42:58 UTC
Created attachment 36384 [details]
Bugfix

Apache does not perform a post-handshake authentication (request a client certificate) if the virtual host has the setting "SSLVerifyClient optional" and the location has the setting "SSLVerifyClient require".

This happens if the browser does not provide a client certificate at SSL handshake time. Apache should ask for a certificate when the location is accessed, but instead this error is logged:

SSL Library Error: error:1426811B:SSL routines:SSL_verify_client_post_handshake:invalid config

The bugfix is to remove the flag SSL_VERIFY_CLIENT_ONCE (see patch).