Created attachment 23569 [details] Patch for sending first configured client cert as last resolve Currently the selection of the correct client certificate when using the SSLProxy functionality is fully dependent on the CA list returned by the server. When no exact match is found between client cert issuer and one of the CA's in the list from the server the connection fails. In my environment we communicate with a probably misconfigured server that has not got the exact same issuer CA in it's list as it used in the provided client certificate. This causes the connection to fail because no correct client cert can be found. The problem is that the provider probably assumes that the complete CA chain is tested against all returned CA's from the server since the client certificate's root cert is indeed in the list, but the current code only seems to check against the issuer as found in the client cert and not the entire CA chain. To solve the problem the attached patch was done against 2.2.11 to allow the certificate selection routine to return the first configured certificate in the list if no exact match can be found. I realise that this is probably bugfixing at the wrong end, but if so, questions must be made if the server was configured incorrectly, or if the way mod_ssl evaluates the candidate certificates is the correct way. In both cases I see no harm in returning the first client cert in the list as a last resolve since existing functionality is not changed, but some might disagree.
Created attachment 23570 [details] Patch for sending first configured client cert as last resolve. Updated the patch to conform to patch submission guidelines.
Created attachment 26959 [details] Modified code for Apache 2.2.17 Line number of the function ssl_callback_proxy_cert() differs from Martijn Schoemakers 2.2.11 version.
This fix has been verified OK on modified Apache 2.2.17 installation. I've uploaded the modified ssl_engine_kernel.c code. Changes from existing version is on lines 1709-1713. Great work, Martijn :)
Created attachment 26981 [details] Apache 2.2.17 w/mod_ssl patch Here's the unified diff file for patching ssl_engine_kernel.c (as posted by Martijn Schoemaker). This resolved a problem related to the use of SSLProxy with a client certificate. The configuration used mod_proxy as a reverse proxy to a HTTPS server with a certificate signed by CA. The client certificate (SSLProxyMachineCertificateFile) was signed by the aforementioned CA and the config was pointing to this CA (SSLProxyCACertificateFile). A standard Apache 2.2.17 installation did not find the client certificate and therefore failed. Here's an excerpt from the debug log while it was failing: [Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 read server hello A [Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1321): [client 127.0.0.10] Certificate Verification: depth: 1, subject: /C=NO/ST=Oslo/L=Oslo/O=Dream County/OU=Test/CN=Example CA/emailAddress=xx@xx.xxx, issuer: /C=NO/ST=Oslo/L=Oslo/O=Dream County/OU=Test/CN=Example CA/emailAddress=xx@xx.xxx [Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1321): [client 127.0.0.10] Certificate Verification: depth: 0, subject: /C=NO/ST=Oslo/L=Oslo/O=Dream County/OU=Test/CN=client.example.com, issuer: /C=NO/ST=Oslo/L=Oslo/O=Dream County/OU=Test/CN=Example CA/emailAddress=xx@xx.xxx [Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 read server certificate A [Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 read server key exchange A [Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 read server certificate request A [Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 read server done A [Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1660): Proxy client certificate callback: (www.example.com:443) entered [Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1705): Proxy client certificate callback: (www.example.com:443) no client certificate found!? [Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 write client certificate A [Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 write client key exchange A [Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 write change cipher spec A [Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 write finished A [Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 flush data After patching the client certificate was sent correctly. [Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop: SSLv3 read server hello A [Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1321): [client 127.0.0.10] Certificate Verification: depth: 1, subject: /C=NO/ST=Oslo/L=Oslo/O=Dream County/OU=Test/CN=Example CA/emailAddress=xx@xx.xxx, issuer: /C=NO/ST=Oslo/L=Oslo/O=Dream County/OU=Test/CN=Example CA/emailAddress=xx@xx.xxx [Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1321): [client 127.0.0.10] Certificate Verification: depth: 0, subject: /C=NO/ST=Oslo/L=Oslo/O=Dream County/OU=Test/CN=client.example.com, issuer: /C=NO/ST=Oslo/L=Oslo/O=Dream County/OU=Test/CN=Example CA/emailAddress=xx@xx.xxx [Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop: SSLv3 read server certificate A [Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop: SSLv3 read server key exchange A [Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop: SSLv3 read server certificate request A [Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop: SSLv3 read server done A [Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1660): Proxy client certificate callback: (www.example.com:443) entered [Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1705): Proxy client certificate callback: (www.example.com:443) no client certificate found!? [Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1633): Proxy client certificate callback: (www.example.com:443) No acceptable cert found, sending first in list., sending /C=NO/ST=Oslo/L=Oslo/O=Dream County/OU=Test/CN=Example Client Cert/emailAddress=xx@xx.xxx [Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop: SSLv3 write client certificate A [Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop: SSLv3 write client key exchange A [Wed May 04 16:49:07 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop: SSLv3 write certificate verify A [Wed May 04 16:49:07 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop: SSLv3 write change cipher spec A [Wed May 04 16:49:07 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop: SSLv3 write finished A [Wed May 04 16:49:07 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop: SSLv3 flush data
Issue still persists in 2.2.25. Attaching updated patch.
Created attachment 30826 [details] Updated patch for 2.2.25
Hey there, guys. This bug is still actual. Any update on this? Server version: Apache/2.4.10 (Debian) Server built: Jan 3 2016 03:50:53 Server's Module Magic Number: 20120211:37 Server loaded: APR 1.5.1, APR-UTIL 1.5.4 Compiled using: APR 1.5.1, APR-UTIL 1.5.4 Architecture: 32-bit Server MPM: prefork threaded: no forked: yes (variable process count) Server compiled with.... -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=256 -D HTTPD_ROOT="/etc/apache2" -D SUEXEC_BIN="/usr/lib/apache2/suexec" -D DEFAULT_PIDLOG="/var/run/apache2.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="mime.types" -D SERVER_CONFIG_FILE="apache2.conf"
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd. As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd. If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question. If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with. Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.