On Mon, Aug 04, 2003 at 12:37:51PM -0700, Sander Temme wrote: > Hi all, > > This patch fixes a problem that occurs when RSA SSL-C is used as back-end > for mod_ssl:
Just looked into this again, we'd seen this same problem on a few boxes (using OpenSSL of course), but not on others, and had been using exactly the same patch as you, and now I triggered the thing again today. It is a directory ordering bug (they are the order of the day it seems :): successful operation depends on readdir() returning client_ok.pem first, which is not guaranteed but happens sometimes; since all the certs match the CA names offered any of them will be chosen. So this really is a correct fix. I suppose there is a mod_ssl bug here too: SSLP.M.C.Path is not consistent in determining which client cert is used if several would match the CA names offered, it just relies on directory ordering. I'll check this in, anyway. Very belated thanks :) > Index: t/conf/ssl/proxyssl.conf.in > =================================================================== > RCS file: > /home/cvspublic/httpd-test/perl-framework/t/conf/ssl/proxyssl.conf.in,v > retrieving revision 1.11 > diff -u -r1.11 proxyssl.conf.in > --- t/conf/ssl/proxyssl.conf.in 2 May 2002 19:25:52 -0000 1.11 > +++ t/conf/ssl/proxyssl.conf.in 4 Aug 2003 19:30:00 -0000 > @@ -34,7 +34,7 @@ > #these are not on by default in the 1.x based mod_ssl > <IfDefine APACHE2> > SSLProxyEngine On > - #SSLProxyMachineCertificateFile @SSLCA@/asf/proxy/client_ok.pem > + SSLProxyMachineCertificateFile @SSLCA@/asf/proxy/client_ok.pem > #client_ok.pem should be loaded first > SSLProxyMachineCertificatePath @SSLCA@/asf/proxy > SSLProxyCACertificateFile @SSLCA@/asf/certs/ca.crt
