Hello.
We (Cybernetica AS) would like to add a feature to the Apache httpd mod_ssl
module. This mail is about asking for advice and feasibility.
We have a client who has a probem with CA chains. They have a local CA, local
CA issues client certificates. Local CA has working OCSP responder and the
client certs have AIA extemsion with OCSP URL. The CA chain continues up to
other organizations and at least one upper level subCA has no OCSP responder
that can answer about its validity (Root CA has no OCSP for its client subca
certificates).
In this situation, it seems impossible to enable OCSP client certificate
checking. If we enable SSLOCSPEnable, OCSP is required for all certs in the
client-supplied chain up to trusted root. This is a problem with multiple
popular browsers - at least Safari and Chrome send full cert chain from client
cert to root cert, and it cannot be verified. Firefox sends cert chain only up
to the CA advertised by mod_ssl and this works (buth they can not create a site
working with single browser only).
So we propose to write a patch to mod_ssl to add a configuration option for
OCSP to enable only leaf certificate checking, not the full chain (or checking
up to toe CA advertised to clients, not the root CA) - similarly to
"SSLCARevocationCheck leaf" (and please tell me if there is a better approach).
Now, my question - if we implement it accordingly to Apache coding conventions,
is this a kind of feature that would be accepted to Apache httpd upstream?
--
Meelis Roos <mr...@cyber.ee>
security engineer
Cybernetica AS
Estonia
