Re: [PATCH] Enable client certificate for https-https proxy tests
On Mon, Aug 04, 2003 at 12:37:51PM -0700, Sander Temme wrote: > Hi all, > > This patch fixes a problem that occurs when RSA SSL-C is used as back-end > for mod_ssl: Just looked into this again, we'd seen this same problem on a few boxes (using OpenSSL of course), but not on others, and had been using exactly the same patch as you, and now I triggered the thing again today. It is a directory ordering bug (they are the order of the day it seems :): successful operation depends on readdir() returning client_ok.pem first, which is not guaranteed but happens sometimes; since all the certs match the CA names offered any of them will be chosen. So this really is a correct fix. I suppose there is a mod_ssl bug here too: SSLP.M.C.Path is not consistent in determining which client cert is used if several would match the CA names offered, it just relies on directory ordering. I'll check this in, anyway. Very belated thanks :) > Index: t/conf/ssl/proxyssl.conf.in > === > RCS file: > /home/cvspublic/httpd-test/perl-framework/t/conf/ssl/proxyssl.conf.in,v > retrieving revision 1.11 > diff -u -r1.11 proxyssl.conf.in > --- t/conf/ssl/proxyssl.conf.in 2 May 2002 19:25:52 - 1.11 > +++ t/conf/ssl/proxyssl.conf.in 4 Aug 2003 19:30:00 - > @@ -34,7 +34,7 @@ > #these are not on by default in the 1.x based mod_ssl > > SSLProxyEngine On > -#SSLProxyMachineCertificateFile @SSLCA@/asf/proxy/client_ok.pem > +SSLProxyMachineCertificateFile @SSLCA@/asf/proxy/client_ok.pem > #client_ok.pem should be loaded first > SSLProxyMachineCertificatePath @SSLCA@/asf/proxy > SSLProxyCACertificateFile @SSLCA@/asf/certs/ca.crt
[PATCH] Enable client certificate for https-https proxy tests
Hi all, This patch fixes a problem that occurs when RSA SSL-C is used as back-end for mod_ssl: Index: t/conf/ssl/proxyssl.conf.in === RCS file: /home/cvspublic/httpd-test/perl-framework/t/conf/ssl/proxyssl.conf.in,v retrieving revision 1.11 diff -u -r1.11 proxyssl.conf.in --- t/conf/ssl/proxyssl.conf.in 2 May 2002 19:25:52 - 1.11 +++ t/conf/ssl/proxyssl.conf.in 4 Aug 2003 19:30:00 - @@ -34,7 +34,7 @@ #these are not on by default in the 1.x based mod_ssl SSLProxyEngine On -#SSLProxyMachineCertificateFile @SSLCA@/asf/proxy/client_ok.pem +SSLProxyMachineCertificateFile @SSLCA@/asf/proxy/client_ok.pem #client_ok.pem should be loaded first SSLProxyMachineCertificatePath @SSLCA@/asf/proxy SSLProxyCACertificateFile @SSLCA@/asf/certs/ca.crt If I don't explicitly specify the proxy client cert when running on SSL-C, the wrong certificate gets picked for proxy client authentication. The result is a 403 Forbidden from the upstream, and a 502 Bad Gateway from the proxy. The regular mod_ssl/OpenSSL combination is not affected, but is not broken by this patch either. Tested on Darwin (OpenSSL), Linux (both OpenSSL and SSL-C) and Solaris (both). S. -- Covalent Technologies [EMAIL PROTECTED] Engineering groupVoice: (415) 856 4214 303 Second Street #375 South Fax: (415) 856 4210 San Francisco CA 94107 PGP Fingerprint: 7A8D B189 E871 80CB 9521 9320 C11E 7B47 964F 31D9 === This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message === proxyssl.conf.in.patch Description: Binary data