14560 – SSLCertificateChainFile behaviour different or broken vs. apache v1.3.x

Bug 14560 - SSLCertificateChainFile behaviour different or broken vs. apache v1.3.x

Summary: SSLCertificateChainFile behaviour different or broken vs. apache v1.3.x

Status:	CLOSED FIXED

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_ssl (show other bugs)
Version:	2.0.43
Hardware:	PC Linux

Importance:	P3 normal (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2002-11-14 19:26 UTC by John Koyle
Modified:	2004-11-16 19:05 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Koyle 2002-11-14 19:26:26 UTC

I found that the SSLCertificateChainFile directive was not behaving the same as
it has in apache v1.3.

According to the verisign, when using a global certificate, you need to use the
above directive to provide the client with the Intermediate CA.  So, in my old
v1.3 configuration I had the following 3 directives:

SSLCertificateChainFile ssl.crt/ca.crt
SSLCertificateFile ssl.crt/server.crt
SSLCertificateKeyFile ssl.key/server.key

This doesn't work under apache2 however.  The certificate in the chainfile never
seems to be presented to the client.  Clients were getting presented with the
unrecognized signing authority error.

According to the comments in the ssl.conf sample config file, you can also point
it to the SSLCertificateFile if the intermediate CA is directly appended to the
bottom of the file. This did fix the problem.

Here's my specs:

RH v7.3
openssl-0.9.6b-28
./configure --prefix=/a01/app/dpxdemo/apache_2.0.43 --enable-mods-shared=all
--enable-ssl

Thanks,
John

Comment 1 ballou 2003-02-28 21:51:08 UTC

I think this is because the boolean skip_first in ssl_init_ctx_cert_chain is
mistakenly initialized as TRUE (should be FALSE).  This means the first
certificate in the SSLCertificateChain file is always ignored.  (The intent
seems to be to allow the same file to be named in the SSLCertificateFile and
SSLCertificateChain file directive.  If this is the case, the code assumes the
first certificate in the chain file is the SSL server's certificate.  This
certificate is skipped when adding the extra certificates to the SSL context.)

I have tested the attached patch against version 2.0.44 and verified that it
causes the SSLCertificateChain directive to work as documented.

Comment 2 ballou 2003-02-28 21:54:19 UTC

I could not create an attachment, so I'll include the patch directly here (it is
a one line change).

--- modules/ssl/ssl_engine_init.c.bak   Mon Jan 13 12:10:55 2003
+++ modules/ssl/ssl_engine_init.c       Fri Feb 28 15:30:42 2003
@@ -654,7 +654,7 @@
                                     apr_pool_t *ptemp,
                                     modssl_ctx_t *mctx)
 {
-    BOOL skip_first = TRUE;
+    BOOL skip_first = FALSE;
     int i, n;
     const char *chain = mctx->cert_chain;

Comment 3 William A. Rowe Jr. 2003-03-06 16:02:28 UTC

  Thanks for confirming that this is the right fix.  Your bug report escaped
  my attention, but Madhu noticed this too back in January, and I reviewed that
  change with the committer, who agrees it was bogus.

  We've reverted back to defaulting to *NOT* skip_first as your patch proposed,
  and all should be well again with 2.0.45.