https://issues.apache.org/bugzilla/show_bug.cgi?id=45054
Summary: SSLVerifyClient optional_no_ca is broken
Product: Apache httpd-2
Version: 2.3-HEAD
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
AssignedTo: [email protected]
ReportedBy: [EMAIL PROTECTED]
The documented behavious for the option 'optional_no_ca' is that if the return
code
of SSL_Accept valid this predicate:
ssl_private.h:#define ssl_verify_error_is_optional(errnum) \
ssl_private.h- ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \
ssl_private.h- || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
ssl_private.h- || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
ssl_private.h- || (errnum == X509_V_ERR_CERT_UNTRUSTED) \
ssl_private.h- || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
then the error code in SSL_VERIFY_CLIENT should be "FAILED:(an error message)"
but "GENEROUS".
This functionality is very useful to use certificate as an user-centric
authentication token, why forbid it with this code from ssl_engine_io.c:
if (ssl_verify_error_is_optional(verify_result) &&
(sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
{
/* leaving this log message as an error for the moment,
* according to the mod_ssl docs:
* "level optional_no_ca is actually against the idea
* of authentication (but can be used to establish
* SSL test pages, etc.)"
* optional_no_ca doesn't appear to work as advertised
* in 1.x
*/
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
"SSL client authentication failed, "
"accepting certificate based on "
"\"SSLVerifyClient optional_no_ca\" "
"configuration");
ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
}
look that we don't reset the result to something good like X509_V_OK.
And this code that return the value of SSL_VERIFY_CLIENT:
if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs == NULL)
/* no client verification done at all */
result = "NONE";
else if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs != NULL)
/* client verification done successful */
result = "SUCCESS";
else if (vrc == X509_V_OK && vinfo != NULL && strEQ(vinfo, "GENEROUS"))
/* client verification done in generous way */
result = "GENEROUS";
else
/* client verification failed */
result = apr_psprintf(p, "FAILED:%s", verr);
if (xs)
X509_free(xs);
The third condition can never happen as vrc will be OK and vinfo == GENEROUS at
the same time.
Two approaches:
- reset the result code (we loss information), with a
SSL_set_verify_result(ssl, X509_V_OK); inside the first extracted code.
- change third condition with this patch:
- else if (vrc == X509_V_OK && vinfo != NULL && strEQ(vinfo,
"GENEROUS"))
+ else if (ssl_verify_error_is_optional(vrc) && vinfo != NULL &&
strEQ(vinfo, "GENEROUS"))
- bonus point would be to return the result code inside another variable and
completely removing the optional_no_ca option, web app could just use
optional and choose actions in function of SSL_VERIFY_CLIENT == FAILED and
the error code.
What do you think ?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
