I have created bugs 24029, 24030 and 24031 for the issues described in this thread.
Joe Orton wrote:
Hi Kris,
On Wed, Oct 22, 2003 at 04:44:39PM +0200, Kris Verbeeck wrote:
After several days of tracing through the mod_proxy/mod_ssl/OpenSSL code with gdb I now finally have a working setup with reverse proxy SSL client certificate authentication.
I encountered two problems:
1) AFAICT, the documentation of the SSLProxyMachineCertificateFile is incorrect. The docs state:
...
IMHO you should not put a bunch of CA certs in this file. The file should contain the SSL client certificate and its corresponding private key (by concatenating them in PEM-encoded format). I wonder if it can contain multiple certificates and keys?
Yup, that's a documentation bug, this section should just talk about client certificates. Yes, you can put several client certs in a single file, just append certificate, key, certificate key, ... in PEM format.
Adding the private key fixes the SIGSEGV from the original mail.
2) It also seems that the current code can not handle private keys that are passphrase protected. The key is never decrypted (there is no passphrase prompt) which results in a new SIGSEGV. Using a non-encrypted key fixes this second SIGSEGV.
Can anyone confirm/deny this behaviour? If it can be confirmed, I will add two new bugs in bugzilla.
Yes, that's definitely a real bug, nice work.
For problem 2, can anyone give me some suggestions on how to solve this?
ssl_engine_init.c needs to check that each loaded client cert has both an X509 cert and a private key; if not, it should give an error and not configure an incomplete X509_INFO structure. (ssl_engine_pphrase.c could also be extended to support decrypting the private keys used for the proxy, but I've not heard anyone screaming for that feature)
Regards,
joe
-- ir. Kris Verbeeck Software Engineer
Ubizen - Ubicenter - Philipssite 5 - 3001 Leuven - Belgium T: +32 16 28 70 64 F: +32 16 28 70 77
Ubizen - We Secure e-business - www.ubizen.com
