Bug 809793

Summary: SSL Client Authentication under Cross-certification configurations, valid certificates are refused
Product: Red Hat Enterprise Linux 5 Reporter: KV <vargok>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 5.9Keywords: FutureFeature
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-25 07:01:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch for back-porting TrustedFirst capability from openssl-HEAD to 0.9.8e
none
httpd/mod_ssl patch for TrustedFirst at VHost level none

Description KV 2012-04-04 11:52:14 UTC
Created attachment 575098 [details]
Patch for back-porting TrustedFirst capability from openssl-HEAD to 0.9.8e

Description of problem:

For PKI / SSL Client Authentication, under a configuration situation that includes "cross-certification" of Certificate Authorities, valid users may be refused access to permitted resources due to a combination of configuration.  It should be possible to check the client-offered certificates/certificate-chain against the local "trusted" set of certificates, rather than just verifying the root of the client-offered chain.  OpenSSL has added this in the latest (HEAD), and I would like to see it back-ported.

Version-Release number of selected component (if applicable):

OpenSSL 0.9.8e / 1.0; fix from HEAD.

How reproducible:

Always

Steps to Reproduce:
1. Configure a server for SSL Client Authentication with a self-signed root CA
2. Configure a client with a cross-certified copy of that "root" CA
3. Attempt to access a resource with valid client certificate
  
Actual results:

Client refused with "Error Unknown Local Issuer."

Expected results:

Clients can access the protected resource.

Additional info:

I've attached the patch for OpenSSL against RHEL/CentOS 5 0.9.8e; I've got one for httpd/mod_ssl as well.

Comment 1 KV 2012-04-04 11:53:23 UTC
Created attachment 575100 [details]
httpd/mod_ssl patch for TrustedFirst at VHost level

Patch for adding TrustedFirst flag to virtualhost configuration to enable upstream OpenSSL flag.

Comment 4 RHEL Program Management 2012-10-10 11:48:53 UTC
Thank you for submitting this issue for consideration. Red Hat Enterprise Linux 5 has reached the end of Production 1 Phase of its Life Cycle.  Red Hat does not plan to incorporate the suggested capability in a future Red Hat Enterprise Linux 5 minor release. If you would like Red  Hat to re-consider this feature request and the requested functionality is not currently in Red Hat Enterprise Linux 6, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.