All, I’m not sure if this would be considered a vulnerability or lack of functionality of Mod_SSL or OpenSSL.
Test Platform Red Hat Linux 9.0 Apache 1.3.31 Mod_SSL 2.8.18 OpenSSL 0.9.7d Apache server is configured for client authentication using digital certificates and validation of a certificate revocation list (CRL) file. Certificate Revocation List Concern: If using the Certificate File directive for a CRL, Apache will start with an expired CRL file. I am trusting several Certificate Authorities, but only have one CRL file (expired) from one of the CAs. I am allowed access using a revoked certificate as long as it is not issued from the CA of the expired CRL file. I am not allowed access if I select a certificate issued from the CA of the CRL file I’m using. The logging is correct in that Apache is going to deny access for all clients of that particular CA until I get a new CRL. If using the Symbolic Link directive for the CRL file, Apache will start with NO CRL file available. Apache will allow revoked certificates to access all protected pages. I’ve also noticed a similar behavior with path validation when using client authentication and digital certificates. It seems as though Apache will allow access as long as it can find a CA it trusts in the chain of the client’s certificate. Shouldn’t Apache/Mod_SSL validate the trust of each CA in the path for a client certificate? You can configure how deep to validate the certificate, but it seems as though it’s just going to check as far up the chain until it finds a CA certificate it trusts and then stops. Internet Explorer was vulnerable to this type of attack because the browser did not validate the trust of each certificate in the chain. Someone could stand up their own CA using OpenSSL and issue digital certificates using a signed certificate from a higher level CA. Internet Explorer would just look through the tree until it found a CA that was trusted instead of alerting the user that a rogue CA certificate had been found in the path. Any feedback would be appreciated. Thanks, Rene -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]