> -----Ursprüngliche Nachricht-----
> Von: Kaspar Brand
> Gesendet: Freitag, 24. April 2009 07:15
> An: dev@httpd.apache.org
> Betreff: Re: SNI in 2.2.x (Re: Time for 2.2.10?)
>
> Plüm, Rüdiger, VF-Group wrote:
> > As I said further down below I see also good and valid use
> cases for the
> > combination
> > SSLVerifyClient optional
> > and
> > %{SSL_CLIENT_VERIFY}
> > And this combination should be safe even if this comes at
> the price that
> > some configuration are not possible without SNI. But yes,
> we may disagree
> > on this :-).
>
> If that's the only remaining issue which needs to be sorted out, then
> I feel quite confident that we'll be able to agree on a solution
> within very reasonable time :-)
>
> > I would only love to see that the parts in your patch were you
> > used r->connection->aborted are adjusted accordingly.
>
> Using modssl_set_verify to restore the setting to "verify_old" seems
> fine, AFAICT (the client is free to retry the request over the same
> connection, but we'll send him a 403 again, anyway... that even saves
> us additional handshakes, in case of stubborn clients repeating
> their requests).
>
> Here's another idea for trying to cut that Gordian knot:
>
> if ((r->server != handshakeserver)
> && renegotiate
> && ((verify & SSL_VERIFY_PEER) ||
> (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
> SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
>
> #define MODSSL_CFG_CA_NE(f, sc1, sc2) \
> (sc1->server->auth.f && \
> (!sc2->server->auth.f || \
> sc2->server->auth.f && \
> strNE(sc1->server->auth.f, sc2->server->auth.f)))
>
> if ((MODSSL_CFG_CA_NE(ca_cert_file, sc, hssc) ||
> MODSSL_CFG_CA_NE(ca_cert_path, sc, hssc)) &&
> (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
> ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
> "Non-default virtual host with
> SSLVerify set to "
> "'require' and VirtualHost-specific
> CA certificate "
> "list is only available to clients
> with TLS server "
> "name indication (SNI) support");
> modssl_set_verify(ssl, verify_old, NULL);
> return HTTP_FORBIDDEN;
> } else
> /* let it pass, possibly with an "incorrect"
> peer cert,
> * so make sure the SSL_CLIENT_VERIFY
> environment variable
> * will indicate partial success only, later on.
> */
> sslconn->verify_info = "GENEROUS";
> }
>
> I.e., if someone configures a non-default vhost with
> "SSLVerifyClient optional",
> and checks for %{SSL_CLIENT_VERIFY} in an SSLRequire
> expression (hopefully
> with 'eq "SUCCESS"'), then non-SNI clients will still be banned.
That should work. Comparing against anything else but 'SUCCESS' is
IMHO a flaw in the configuration. 'GENEROUS' IMHO only says that some
kind of certificate was sent at all.
Mind to sent a version v9 of your patch such that I can review the complete
one again?
Thanks for your efforts.
Regards
Rüdiger
