Re: SNI in 2.2.x (Re: Time for 2.2.10?)

Thu, 23 Apr 2009 22:15:37 -0700 

Plüm, Rüdiger, VF-Group wrote:
> As I said further down below I see also good and valid use cases for the
> combination
> SSLVerifyClient optional
> and
> %{SSL_CLIENT_VERIFY}
> And this combination should be safe even if this comes at the price that
> some configuration are not possible without SNI. But yes, we may disagree
> on this :-).

If that's the only remaining issue which needs to be sorted out, then
I feel quite confident that we'll be able to agree on a solution
within very reasonable time :-)

> I would only love to see that the parts in your patch were you
> used r->connection->aborted are adjusted accordingly.

Using modssl_set_verify to restore the setting to "verify_old" seems
fine, AFAICT (the client is free to retry the request over the same
connection, but we'll send him a 403 again, anyway... that even saves
us additional handshakes, in case of stubborn clients repeating
their requests).

Here's another idea for trying to cut that Gordian knot:

        if ((r->server != handshakeserver)
            && renegotiate
            && ((verify & SSL_VERIFY_PEER) ||
                (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
            SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);

#define MODSSL_CFG_CA_NE(f, sc1, sc2) \
            (sc1->server->auth.f && \
             (!sc2->server->auth.f || \
              sc2->server->auth.f && \
              strNE(sc1->server->auth.f, sc2->server->auth.f)))

            if ((MODSSL_CFG_CA_NE(ca_cert_file, sc, hssc) ||
                 MODSSL_CFG_CA_NE(ca_cert_path, sc, hssc)) &&
                (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
                    ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
                         "Non-default virtual host with SSLVerify set to "
                         "'require' and VirtualHost-specific CA certificate "
                         "list is only available to clients with TLS server "
                         "name indication (SNI) support");
                    modssl_set_verify(ssl, verify_old, NULL);
                    return HTTP_FORBIDDEN;
            } else
                /* let it pass, possibly with an "incorrect" peer cert,
                 * so make sure the SSL_CLIENT_VERIFY environment variable
                 * will indicate partial success only, later on.
                 */
                sslconn->verify_info = "GENEROUS";
        }

I.e., if someone configures a non-default vhost with "SSLVerifyClient optional",
and checks for %{SSL_CLIENT_VERIFY} in an SSLRequire expression (hopefully
with 'eq "SUCCESS"'), then non-SNI clients will still be banned.

Kaspar

Reply via email to