On 26/03/2014 11:11, Emilia Kasper wrote: > Hi mod_ssl devs, > > I have a small patch for mod_ssl that uses new OpenSSL (>=1.0.2) methods when > available to automatically rebuild misconfigured certificate chains. > > Github pull request: https://github.com/apache/httpd/pull/7 > > Some of the common server chain misconfigurations are a) including the > self-signed root certificate in the chain and b) missing an intermediate > certificate in the chain. a) is bad because it bloats the handshake and b) is > bad because the client can't always validate the chain. > > The patch fixes a) by sanity-checking the chain and chopping self-signed > roots. > I believe it's harmless to turn on by default as the rebuild step will either > yield a valid chain or preserve the original configuration. > > I've no good idea how to reliably detect and fix missing intermediates but > would > be happy to try out any good suggestions. >
I think this is a good idea in principle. A major motivation for adding SSL_CTX_build_cert_chain to OpenSSL was to correct common chain configuration errors automatically (certificates in wrong order or additional bogus ones added) and to detect some other cases (chain not complete). Badly configured server chains have been a headache for clients for quite a while. A secondary motivation was to improve efficiency by avoiding the "on the fly" certificate chain building on each handshake and just build the chain once. There are some side effects with doing this though. If the server is correctly configured to exclude the root then the chain build will fail. The root is needed during path verification to see that the chain is complete. Some old "on the fly" configurations that place intermediate CAs in the trusted store are also likely to fail. Possible workaround is a way to turn off the checking an "IReallyKnowWhatImDoing" kind of thing which is disabled by default. Or just require affected users to reconfigure their servers. As for the patch itself. There could be a cleaner way to achieve the same thing. We're already optionally iterating through all certificates for OCSP staping using the 1.0.2 APIs so perhaps that can be adapted to perform a chain build sanity check at the same time. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 [email protected]
