https://bz.apache.org/bugzilla/show_bug.cgi?id=57600
Kaspar Brand <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Version|2.4.10 |2.5-HEAD Hardware|PC |All --- Comment #1 from Kaspar Brand <[email protected]> --- (In reply to JDR from comment #0) > The mere presence of the SSLCACertificate{File,Path} directive is sufficient > to make this CA certificate appear in the handshake. It is not necessary to > have SSL client authentication enabled, i.e. it will still do this > regardless of whether you configure an SSLVerifyClient directive or not. This is actually a "feature" of OpenSSL, though of somewhat questionable value, in particular when considering that self-signed trust anchors are also automatically sent in the handshake. Specifically, it's ssl_add_cert_chain() in ssl_cert.c where this is happening, see the current version in the OpenSSL repository: https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=ssl/ssl_cert.c;h=974259969f0585c489e89fa10774578b9b16cd12;hb=refs/heads/master#l1058 For two-tier CA hierarchies (root CA plus intermediate CA, which is the typical case nowadays), it isn't really an issue, since a properly configured vhost will either supply the intermediate CA via SSLCertificateChainFile or through SSLCertificateFile (preferred as of version 2.4.8). In your case (server cert issued straight from the root CA, so no ICA cert involved), there isn't really a way to prevent the root cert from appearing in the handshake other than omitting SSLCACertificateFile/SSLCACertificatePath, however. We might "fix" it in mod_ssl by always disabling auto-chain-building magic, like so: Index: modules/ssl/ssl_engine_init.c =================================================================== --- modules/ssl/ssl_engine_init.c (revision 1662189) +++ modules/ssl/ssl_engine_init.c (working copy) @@ -614,6 +614,8 @@ static apr_status_t ssl_init_ctx_protocol(server_r SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS); #endif + SSL_CTX_set_mode(ctx, SSL_MODE_NO_AUTO_CHAIN); + return APR_SUCCESS; } This might have other side effects, though, and affect backwards compatibility, so I'm not sure if it's a) the right thing to do and b) worth the effort, since we're talking about a rather uncommon setup. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
