[Bug 59438] New: ServerInfo Extension 18 Missing for dual EC-RSA certificate configurations

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=59438

            Bug ID: 59438
           Summary: ServerInfo Extension 18 Missing for dual EC-RSA
                    certificate configurations
           Product: Apache httpd-2
           Version: 2.4.20
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P3
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: jasonm...@hotmail.com

I have received no response from Apache Dev Mailing List for 5 days.

I would like to draw your attention to a new patch for OpenSSL which will
ultimately mean that Apache needs to treat dual EC-RSA certificate
configurations with server info (currently used only for TLS extension of
certificate transparency) differently than until now. Specifically, the patches
are https://github.com/openssl/openssl/pull/914 and
https://github.com/openssl/openssl/pull/915.

They originated from research involving my Apache server configuration (on
Ubuntu 16.04) and Castaglia's coding of patches.

The Apache/OpenSSL bug is described fully here:
http://serverfault.com/questions/758482/apache-extension-error (the software I
used when I published this Serverfault thread was a bit older than now, but the
problem still persists in a different from: now instead of quitting the
connection OpenSSL accepts the connection but doesn't send ServerInfo data). In
particular, see the comment of Castaglia on their answer to the thread for
possible new Apache idea of implementation.

Maybe the following would be a good approach: After the first
certificate-private key pair, accept a ServerInfo Openssl configuration
directive which would call SSL_CTX_use_serverinfo_file for that certificate.
Then the configuration goes on with the second certificate-private key pair and
after that, the second serverinfo file location via Openssl configuration
directive (if applicable, that is if the server has dual certificate
configuration). So, Apache would need to process each pair and then, if it
finds directly below it a serverinfo, call SSL_CTX_use_serverinfo_file for THAT
certificate. When a new certificate-key pair is registered, the
SSL_CTX_use_serverinfo_file would be called again but for the last certificate
only.

There is no error logged on any Apache log file.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org