Re: [PATCH] Further refinements for SNI

Tue, 22 Apr 2008 08:53:50 -0700 

On Wed, Feb 13, 2008 at 10:00:23AM +0100, Kaspar Brand wrote:
> While I was testing revocation checking for client certs in an SNI
> configuration (Dirk, many thanks for make_sni.sh, btw!), I came across a
> flaw in the current implementation when CRL information - i.e.
> SSLCARevocationFile/SSLCARevocationPath - is set on a per-vhost basis
> (don't know how much sense it makes to have non-global CRLs, but anyway...).

Someone bugged me about the SNI support so I finally go round to chasing 
this up.

I hacked up a quick test based on Dirk's make_sni.sh; this adds 
"SSLVerifyClient" & SSLCACertificateFile to the second and third named 
vhosts.

And this confirms my original suspicions: I can access those vhosts 
without having to present a certificate, i.e. the configured access 
control restrictions can be bypassed.  If I move the SSLVerifyClient/etc 
to the first vhost, it works as expected.

I'm testing trunk mod_ssl.

Index: make_sni.sh
===================================================================
--- make_sni.sh (revision 650539)
+++ make_sni.sh (working copy)
@@ -118,6 +118,13 @@
     -keyout ${DIR}/root.key -out ${DIR}/root.pem  \
     || exit 2
 
+# Also create a second root for signing client certs
+serial=$RANDOM
+openssl req -new -nodes -batch \
+    -x509  \
+    -days 10 -subj '/CN=Da Second Root/O=SNI testing/' -set_serial $serial \
+    -keyout ${DIR}/root-2.key -out ${DIR}/root-2.pem  \
+    || exit 2
 
 # Create the header for the example '/etc/hosts' file.
 #
@@ -177,10 +184,13 @@
 set -- ${NAMES}
 DEFAULT=$1
 
+order=0
+
 for n in ${NAMES}
 do
     FQDN=$n.$DOMAIN
     serial=`expr $serial + 1`
+    order=`expr $order + 1`
 
     # Create a certificate request for this host.
     #
@@ -230,10 +240,24 @@
     SSLCertificateChainFile ${DIR}/root.pem
     SSLCertificateFile ${DIR}/ssl/$n.crt
     TransferLog ${DIR}/logs/access_$n
-</VirtualHost>
-
 EOM
+    case $order in
+    2) cat >> ${DIR}/httpd-sni.conf <<EOM
+    SSLCACertificate ${DIR}/root.pem
+    SSLVerifyClient require
+    SSLVerifyDepth 10
+EOM
+        ;;
+    3) cat >> ${DIR}/httpd-sni.conf <<EOM
+    SSLCACertificate ${DIR}/root-2.pem
+    SSLVerifyClient require
+    SSLVerifyDepth 10
+EOM
+       ;;
+    *) ;;
+    esac
 
+    echo '</VirtualHost>' >> ${DIR}/httpd-sni.conf
 done
 
 cat << EOM

Reply via email to