Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 575100 Details for
Bug 809793
SSL Client Authentication under Cross-certification configurations, valid certificates are refused
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
httpd/mod_ssl patch for TrustedFirst at VHost level
httpd-2.2.3-ssl-trusted_first.patch (text/plain), 4.72 KB, created by
KV
on 2012-04-04 11:53:23 UTC
(
hide
)
Description:
httpd/mod_ssl patch for TrustedFirst at VHost level
Filename:
MIME Type:
Creator:
KV
Created:
2012-04-04 11:53:23 UTC
Size:
4.72 KB
patch
obsolete
>diff -Naur httpd-2.2.3-source/httpd-2.2.3/modules/ssl/mod_ssl.c httpd-2.2.3-source-vargo/httpd-2.2.3/modules/ssl/mod_ssl.c >--- httpd-2.2.3-source/httpd-2.2.3/modules/ssl/mod_ssl.c 2006-07-23 07:11:58.000000000 -0400 >+++ httpd-2.2.3-source-vargo/httpd-2.2.3/modules/ssl/mod_ssl.c 2012-03-09 08:40:42.000000000 -0500 >@@ -145,6 +145,9 @@ > "Use the server's cipher ordering preference") > SSL_CMD_ALL(UserName, TAKE1, > "Set user name to SSL variable value") >+ SSL_CMD_SRV(TrustedFirst, TAKE1, >+ "SSL Client Check Trusted Store first " >+ "(`on', `off')") > > /* > * Proxy configuration for remote SSL connections >diff -Naur httpd-2.2.3-source/httpd-2.2.3/modules/ssl/ssl_engine_config.c httpd-2.2.3-source-vargo/httpd-2.2.3/modules/ssl/ssl_engine_config.c >--- httpd-2.2.3-source/httpd-2.2.3/modules/ssl/ssl_engine_config.c 2006-07-23 07:11:58.000000000 -0400 >+++ httpd-2.2.3-source-vargo/httpd-2.2.3/modules/ssl/ssl_engine_config.c 2012-03-09 09:07:26.000000000 -0500 >@@ -125,6 +125,7 @@ > mctx->auth.ca_cert_file = NULL; > mctx->auth.cipher_suite = NULL; > mctx->auth.verify_depth = UNSET; >+ mctx->auth.trusted_first = UNSET; > mctx->auth.verify_mode = SSL_CVERIFY_UNSET; > } > >@@ -213,6 +214,7 @@ > cfgMergeString(auth.ca_cert_file); > cfgMergeString(auth.cipher_suite); > cfgMergeInt(auth.verify_depth); >+ cfgMergeInt(auth.trusted_first); > cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET); > } > >@@ -977,6 +979,24 @@ > return NULL; > } > >+const char *ssl_cmd_SSLTrustedFirst(cmd_parms *cmd, >+ void *dcfg, >+ const char *arg) >+{ >+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); >+ >+ if (!strcasecmp(arg, "On")) { >+ sc->server->auth.trusted_first = 1; >+ return NULL; >+ } >+ else if (!strcasecmp(arg, "Off")) { >+ sc->server->auth.trusted_first = 0; >+ return NULL; >+ } >+ >+ return "Argument must be On or Off"; >+} >+ > #define MODSSL_NO_SHARED_MEMORY_ERROR \ > "SSLSessionCache: shared memory cache not useable on this platform" > >diff -Naur httpd-2.2.3-source/httpd-2.2.3/modules/ssl/ssl_engine_init.c httpd-2.2.3-source-vargo/httpd-2.2.3/modules/ssl/ssl_engine_init.c >--- httpd-2.2.3-source/httpd-2.2.3/modules/ssl/ssl_engine_init.c 2006-07-23 07:11:58.000000000 -0400 >+++ httpd-2.2.3-source-vargo/httpd-2.2.3/modules/ssl/ssl_engine_init.c 2012-03-09 08:40:38.000000000 -0500 >@@ -516,6 +516,18 @@ > mctx->auth.verify_depth = 1; > } > >+ /** >+ * If requested, set flag for using Trusted set of CA >+ * Certificates first. (Backport from openssl-1.0.2) >+ */ >+ if (mctx->auth.trusted_first == SSL_CVERIFY_TRUSTED_ON) { >+ if (s->loglevel >= APLOG_INFO) { >+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, >+ "Setting Use Trusted First Flag for Client Verification"); >+ } >+ ctx->param->flags |= X509_V_FLAG_TRUSTED_FIRST; >+ } >+ > /* > * Configure callbacks for SSL context > */ >diff -Naur httpd-2.2.3-source/httpd-2.2.3/modules/ssl/ssl_private.h httpd-2.2.3-source-vargo/httpd-2.2.3/modules/ssl/ssl_private.h >--- httpd-2.2.3-source/httpd-2.2.3/modules/ssl/ssl_private.h 2006-07-23 07:11:58.000000000 -0400 >+++ httpd-2.2.3-source-vargo/httpd-2.2.3/modules/ssl/ssl_private.h 2012-03-09 08:27:59.000000000 -0500 >@@ -238,6 +238,26 @@ > || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) > > /** >+ * Define SSL Verification Flags >+ * (Backport from openssl-1.0.2) >+ */ >+ >+#ifndef X509_V_FLAG_TRUSTED_FIRST >+#define X509_V_FLAG_TRUSTED_FIRST 0x8000 >+#endif >+ >+/** >+ * Define the values for Client Verification Trust enabled or not >+ */ >+#ifndef SSL_CVERIFY_TRUSTED >+#define SSL_CVERIFY_TRUSTED_ON 1 >+#define SSL_CVERIFY_TRUSTED_OFF 0 >+ >+#define SSL_CVERIFY_TRUSTED >+#endif >+ >+ >+/** > * Define the SSL pass phrase dialog types > */ > typedef enum { >@@ -344,6 +364,7 @@ > const char *verify_info; > const char *verify_error; > int verify_depth; >+ int trusted_first; > int is_proxy; > int disabled; > int non_ssl_request; >@@ -410,6 +431,7 @@ > > /** for client or downstream server authentication */ > int verify_depth; >+ int trusted_first; > ssl_verify_t verify_mode; > } modssl_auth_ctx_t; > >@@ -506,6 +528,7 @@ > const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag); > const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *); > const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *); >+const char *ssl_cmd_SSLTrustedFirst(cmd_parms *, void *, const char *); > const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *); > const char *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *); > const char *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=575100">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 809793
:
575098
| 575100