Ralf S. Engelschall wrote:
>
> On Wed, Jun 23, 1999, Matthias Loepfe wrote:
>
> > I'm testing some of your new features in mod_ssl. I'm currently testing the
> > unreleased patch for the SSLProxy.
> >
> > Am I right that client certificate handling is not yet finished?
>
> Hmmm... there might be still a bug, yes. Client certificate handling should
> finally work, of course. At least the patch is _proposed_ to be complete.
>
> The patch was originally derived from Stronghold 2.4 and contributed to the
> project by C2Net. I've then ported it to the latest OpenSSL API, overhauled
> it, cleaned it up and integrated it into one of my development trees. But I've
> still not tested it myself in depth (that is together with the lack of
> documentation the reason why it's still not released with 2.3). So either the
> client cert handling was already broken in Stronghold ;), the stuff was
> forgotten to incorporated or I've broken it when I overhauled it. So in order
> to find the bug we've to look at the whole code again.
>
> > It seems that the private keys are not yet read what results in a SEGV deep in
> > OpenSSL at the point where the private key is needed.
> >
> > I have some more questions which I will send each in a different mail for
> > better handling.
>
> Hmmm... the client handling should be done on-the-fly. But perhaps the
> loading is already broken. You can find it in functions
> SSL_CA_load_certs_file() and SSL_CA_load_certs_path() in ssl_util_ssl.c. The
> on-the-fly handling is done by ssl_ext_mp_clientcert_cb() in ssl_engine_ext.c.
> You can debug this by adding some ssl_log() calls to this function.
> Perhaps no CA matches the client certs.
I already stept through the code with the debugger before I sent the last
mail. To me it looks as if the whole code for the loading of the private keys
is missing. I think the name of the function which loads the certs
'SSL_CA_load_certs_file()' is strange (probably legacy). The 'CA' means for me
it was written to load CA certs for which we never have to load a private key.
The other thing is that if you load a file with multiple certs in it how can
you easily assign and find the private keys. I expect for this usage that
each file MUST contain the cert and the private key and only that.
As the private keys are normaly encrypted I think we should add these certs and
keys to the 'szPublicCertFile' and 'szPrivateKeyFile' arrays so that they get
handled by the 'ssl_pphrase_Handle' function.
What do you think?
>
> I append you the latest state of the patch which should apply fine against
> 2.3.5. I've currently no real time available for this patch, so it would be
> great when you can help me here a little bit more.
Sure, I try to make it work.
>
> Ralf S. Engelschall
> [EMAIL PROTECTED]
> www.engelschall.com
>
-------------------------------------------------------------------------------
Matthias Loepfe, AdNovum Informatik AG, Roentgenstr. 22, CH-8005 Zurich
Email: [EMAIL PROTECTED] Voice: +41 1 272 6111 Fax: +41 1 272 6312
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
