Client Certificate verification expects the client to provide a full certificate chain back to a trusted root. However, with the introduction of Cross-certification configuration, there may be multiple "valid" paths, of differing scope. OpenSSL (HEAD/c.a. 1.0.2) has provided support for a Trusted First flag to verification processing, and I would like to see that make it's way back into mod_ssl. As I'm using RHEL-5, I'd like to get EL-5 to update it's mod_ssl (and openssl), but I'd like to get the patch into mod_ssl's "upstream," as well. Basically, when verifying the Client certificate, the chain building process should always check for the "next" (higher) CA Certificate to be in the "trusted" store on the server-side, and if it finds it there, to use it; continuing to build the chain from the server's store, ignoring the clients store where possible. This will allow clients to provide intermediates up to a point (making it so the server needn't track all intermediates). Once the point of cross-certification is reached, the verification will proceed only through the servers' version to the Roots/intermediates it trusts, rather than needing to trust the client-offered chain -- which will vary in trust-scope. To reproduce: 1. Generate a CA structure that has multiple roots, and issue one of the intermediates, or one of the "Root" certificates through both CA structures. 2. Configuration two browser-profiles; one to use each separate chain. 3. Configure the server to trust one of the Roots, but not the other. 4. One profile should "work," and the other should result in a "Local Issuer not found (20)" type error. E.g., [Cross-Certification (CC) Root CA] | [Intermediate CC 1] | [Re-issued non-CC "Root" CA] <--same keys--> [Self-Signed (SS) Root CA] \ / \ / \ / [Intermediate issued from cross-certified CA] | [End-entity (user) certificate]
Created attachment 28448 [details] Patch to incorporate SSLTrustedFirst (On|Off) and the X509 Flag in openssl Adds support for new Server-wide directive, SSLTrustedFirst, which enables the ctx->param->flags for openssl's TrustedFirst directive when doing client verification.
(In reply to comment #1) > Created attachment 28448 [details] > Patch to incorporate SSLTrustedFirst (On|Off) and the X509 Flag in openssl This patch only includes the changes to OpenSSL, but none for mod_ssl. > Adds support for new Server-wide directive, SSLTrustedFirst, which enables the > ctx->param->flags for openssl's TrustedFirst directive when doing client > verification. If we do this, we'll want to make it a per-vhost directive (same as SSLCACertificateFile and friends). It's too early to consider adding support for this to mod_ssl, however (even for trunk). The X509_V_FLAG_TRUSTED_FIRST verification flag was added to OpenSSL in http://cvs.openssl.org/chngview?cn=19324 and will first appear in 1.1.0, which won't be released that soon, most likely.
Created attachment 28460 [details] Patch to incorporate SSLTrustedFirst (On|Off) and the X509 Flag in openssl Sorry; I attached the wrong diff, obviously. Here's the one against mod_ssl 2.2.3 (via Centos 5)