After several days of tracing through the mod_proxy/mod_ssl/OpenSSL code with gdb I now finally have a working setup with reverse proxy SSL client certificate authentication.
I encountered two problems:
1) AFAICT, the documentation of the SSLProxyMachineCertificateFile is incorrect. The docs state:
This directive sets the all-in-one file where you keep the
certificates of Certification Authorities (CAs) whose proxy
client certificates are used for authentication of the proxy
server to remote servers. This referenced file is simply the concatenation of the
various PEM-encoded certificate files, in order of preference.
Use this directive alternatively or additionally to
SSLProxyMachineCertificatePath.Example:
SSLProxyMachineCertificatePath /usr/local/apache/conf/ssl.crt/
IMHO you should not put a bunch of CA certs in this file. The file should contain the SSL client certificate and its corresponding private key (by concatenating them in PEM-encoded format). I wonder if it can contain multiple certificates and keys?
Adding the private key fixes the SIGSEGV from the original mail.
2) It also seems that the current code can not handle private keys that are passphrase protected. The key is never decrypted (there is no passphrase prompt) which results in a new SIGSEGV. Using a non-encrypted key fixes this second SIGSEGV.
Can anyone confirm/deny this behaviour? If it can be confirmed, I will add two new bugs in bugzilla.
For problem 2, can anyone give me some suggestions on how to solve this?
thx
Kris Verbeeck wrote:
Hi,
I have set up an Apache 2.0 reverse proxy that forwards incoming requests over SSL to a back-end web server (also an Apache 2.0). The back-end requires SSL client certificate authentication.
When firing a request, the reverse proxy child process segfaults. The segfault occurs in the ssl_callback_proxy_cert() function (ssl_engine_kernel.c) when calling the modssl_set_cert_info() macro. This macro is defined as follows:
#define modssl_set_cert_info(info, cert, pkey) \ *cert = info->x509; \ X509_reference_inc(*cert); \ *pkey = info->x_pkey->dec_pkey; \ EVP_PKEY_reference_inc(*pkey)
When tracing trough the code with gdb the following values are present in the local variables:
(gdb) p info
$4 = (struct X509_info_st *) 0x8236688
(gdb) p cert
No symbol "cert" in current context.
(gdb) p pkey
$5 = (struct evp_pkey_st **) 0xbffff26c
(gdb) p *info
$6 = {x509 = 0x8236bf0, crl = 0x0, x_pkey = 0x0, enc_cipher = {cipher = 0x0,
iv = "�\024/KJh\207�"}, enc_len = 0, enc_data = 0x0, references = 1}
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x08095b9d in ssl_callback_proxy_cert (ssl=0x0, x509=0xbffff268,
pkey=0xbffff26c) at ssl_engine_kernel.c:1592
1592 modssl_set_cert_info(info, x509, pkey);
AFAICT, the problem is that the x_pkey field in the info structure is NULL (the third line in the macro tries to access a field in this x_pkey structure).
Has anybody else encountered a similar problem? Any suggestions on how this can be solved?
Relevant part of reverse proxy configuration:
ProxyPass /proxyssl https://backend:444 ProxyPassReverse /proxyssl https://backend:444 SSLProxyEngine on SSLProxyMachineCertificateFile conf/ssl/backend-client.crt
Relevant part of back-end SSL server configuration:
Listen 444
<VirtualHost _default_:444>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/ssl/server.crt
SSLCertificateKeyFile conf/ssl/server.key
SSLCACertificateFile conf/ssl/ca-bundle.crt
SSLVerifyClient require
</VirtualHost>
Relevant part of Apache error_log:
[Thu Oct 16 07:18:41 2003] [debug] ssl_engine_kernel.c(1788): OpenSSL: Loop: SSLv3 read server certificate request A
[Thu Oct 16 07:18:41 2003] [debug] ssl_engine_kernel.c(1788): OpenSSL: Loop: SSLv3 read server done A
[Thu Oct 16 07:21:13 2003] [debug] ssl_engine_kernel.c(1554): Proxy client certificate callback: (host:80) entered
[Thu Oct 16 07:21:55 2003] [debug] ssl_engine_kernel.c(1527): Proxy client certificate callback: (host:80) found acceptable cert, sending /C=BE/ST=...
[Thu Oct 16 07:31:44 2003] [notice] child pid 2983 exit signal Segmentation fault (11)
-- ir. Kris Verbeeck Software Engineer
Ubizen - Ubicenter - Philipssite 5 - 3001 Leuven - Belgium T: +32 16 28 70 64 F: +32 16 28 70 77
Ubizen - We Secure e-business - www.ubizen.com
