Hi There: The limitations of mod_ssl for path validation are further than what you have described, in that it also cannot perform policy mapping up the entire certificate chain, and also has no concept of how to deal with AIA or SIA fields. I'm not sure where the developers are in terms of full RFC 3280 Path Validation compliance, but as we also have a need for more full path validation, especially a model that will work in a Cross-Certification type environment.
It is our intent to be starting to work on this this fall, unless we hear from the community that there is already work underway to add in full 3280 validation to mod_ssl. (I'll probably take this over to modssl-devel, but since you asked, I thought that I would bring it up here.) Cheers. On Thursday 31 August 2006 08:53, [EMAIL PROTECTED] wrote: > All, > > I am working in an environment utilizing a PKI consisting of several > Root and Intermediate Certificate Authorities. In order to reduce the > overhead when requiring client authentication using digital > certificates, I am using the following two directives: > > SSLCACertificatePath – Used for Root and Intermediate CAs > SSLCARevocationPath – Used to Process Certificate Revocation Lists > > I’ve yet to encounter a version of Apache and Mod_SSL performing proper > path validation. If a user presents a certificate that is revoked, but > not included in the directory containing all the PEM/Base64 encoded CRL > files and associated symbolic links, Apache allows access. > > If a user presents a certificate issued from an Intermediate > Certificate Authority that is not included in the directory containing > all the Root and Intermediate CA certificates in PEM/Base64 encoded > format and associated symbolic links, he/she is allowed access. > > I would prefer the system to validate the entire chain and not allow > access in the event a local CRL file or Intermediate CA certificate is > not available. By default, IIS performs this path validation correctly. > If IIS does not have a current CRL file issued by each and every CA in > the certificate path, the client is denied access. If IIS does not have > a certificate from each and every CA in the certificate path, the > client is denied access. > > I am trying to automate the process of updating the CA certificate > directory and associated CRL directories by scheduling a job to run on > a nightly basis. If Apache has a local CRL and CA certificate from each > and every CA in the path used to issue the client certificates, then > all checks are performed and the client is properly validated. > > I would prefer the system default to “Closed” instead of “Open” in the > event an Intermediate CA certificate is unavailable or no CRL file is > available. Again, the system must have at least one CA certificate > trusted and available locally, but no CRL files. > > Note: I have issued a client certificate from a client certificate > issued by on of the Intermediate CAs and Apache does deny access > because the key usage of the client certificate does not allow it to be > used as a Root CA and issue additional client certificates. I used > OpenSSL in order to issue client certificates from a client > certificate. This type of path validation seems to work on all the > versions of Apache and Mod_SSL I’ve tested. > > Thanks > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager [EMAIL PROTECTED] -- Patrick Patterson President and CEO Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]
