Bug 809793
Summary: | SSL Client Authentication under Cross-certification configurations, valid certificates are refused | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | KV <vargok> | ||||||
Component: | openssl | Assignee: | Tomas Mraz <tmraz> | ||||||
Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 5.9 | Keywords: | FutureFeature | ||||||
Target Milestone: | rc | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Enhancement | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2012-10-25 07:01:09 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Created attachment 575100 [details]
httpd/mod_ssl patch for TrustedFirst at VHost level
Patch for adding TrustedFirst flag to virtualhost configuration to enable upstream OpenSSL flag.
Thank you for submitting this issue for consideration. Red Hat Enterprise Linux 5 has reached the end of Production 1 Phase of its Life Cycle. Red Hat does not plan to incorporate the suggested capability in a future Red Hat Enterprise Linux 5 minor release. If you would like Red Hat to re-consider this feature request and the requested functionality is not currently in Red Hat Enterprise Linux 6, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue. |
Created attachment 575098 [details] Patch for back-porting TrustedFirst capability from openssl-HEAD to 0.9.8e Description of problem: For PKI / SSL Client Authentication, under a configuration situation that includes "cross-certification" of Certificate Authorities, valid users may be refused access to permitted resources due to a combination of configuration. It should be possible to check the client-offered certificates/certificate-chain against the local "trusted" set of certificates, rather than just verifying the root of the client-offered chain. OpenSSL has added this in the latest (HEAD), and I would like to see it back-ported. Version-Release number of selected component (if applicable): OpenSSL 0.9.8e / 1.0; fix from HEAD. How reproducible: Always Steps to Reproduce: 1. Configure a server for SSL Client Authentication with a self-signed root CA 2. Configure a client with a cross-certified copy of that "root" CA 3. Attempt to access a resource with valid client certificate Actual results: Client refused with "Error Unknown Local Issuer." Expected results: Clients can access the protected resource. Additional info: I've attached the patch for OpenSSL against RHEL/CentOS 5 0.9.8e; I've got one for httpd/mod_ssl as well.