Hi Kris, On Wed, Oct 22, 2003 at 04:44:39PM +0200, Kris Verbeeck wrote: > After several days of tracing through the mod_proxy/mod_ssl/OpenSSL code > with gdb I now finally have a working setup with reverse proxy SSL client > certificate authentication. > > I encountered two problems: > > 1) AFAICT, the documentation of the SSLProxyMachineCertificateFile is > incorrect. The docs state: ... > IMHO you should not put a bunch of CA certs in this file. The file > should contain the SSL client certificate and its corresponding private > key (by concatenating them in PEM-encoded format). I wonder if it can > contain multiple certificates and keys?
Yup, that's a documentation bug, this section should just talk about client certificates. Yes, you can put several client certs in a single file, just append certificate, key, certificate key, ... in PEM format. > Adding the private key fixes the SIGSEGV from the original mail. > > 2) It also seems that the current code can not handle private keys > that are passphrase protected. The key is never decrypted (there > is no passphrase prompt) which results in a new SIGSEGV. Using a > non-encrypted key fixes this second SIGSEGV. > > Can anyone confirm/deny this behaviour? If it can be confirmed, > I will add two new bugs in bugzilla. Yes, that's definitely a real bug, nice work. > For problem 2, can anyone give me some suggestions on how to solve > this? ssl_engine_init.c needs to check that each loaded client cert has both an X509 cert and a private key; if not, it should give an error and not configure an incomplete X509_INFO structure. (ssl_engine_pphrase.c could also be extended to support decrypting the private keys used for the proxy, but I've not heard anyone screaming for that feature) Regards, joe
