Created attachment 575098 [details] Patch for back-porting TrustedFirst capability from openssl-HEAD to 0.9.8e Description of problem: For PKI / SSL Client Authentication, under a configuration situation that includes "cross-certification" of Certificate Authorities, valid users may be refused access to permitted resources due to a combination of configuration. It should be possible to check the client-offered certificates/certificate-chain against the local "trusted" set of certificates, rather than just verifying the root of the client-offered chain. OpenSSL has added this in the latest (HEAD), and I would like to see it back-ported. Version-Release number of selected component (if applicable): OpenSSL 0.9.8e / 1.0; fix from HEAD. How reproducible: Always Steps to Reproduce: 1. Configure a server for SSL Client Authentication with a self-signed root CA 2. Configure a client with a cross-certified copy of that "root" CA 3. Attempt to access a resource with valid client certificate Actual results: Client refused with "Error Unknown Local Issuer." Expected results: Clients can access the protected resource. Additional info: I've attached the patch for OpenSSL against RHEL/CentOS 5 0.9.8e; I've got one for httpd/mod_ssl as well.
Created attachment 575100 [details] httpd/mod_ssl patch for TrustedFirst at VHost level Patch for adding TrustedFirst flag to virtualhost configuration to enable upstream OpenSSL flag.
Thank you for submitting this issue for consideration. Red Hat Enterprise Linux 5 has reached the end of Production 1 Phase of its Life Cycle. Red Hat does not plan to incorporate the suggested capability in a future Red Hat Enterprise Linux 5 minor release. If you would like Red Hat to re-consider this feature request and the requested functionality is not currently in Red Hat Enterprise Linux 6, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.