Bug 809793 - SSL Client Authentication under Cross-certification configurations, valid certificates are refused
SSL Client Authentication under Cross-certification configurations, valid cer...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openssl (Show other bugs)
5.9
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-04 07:52 EDT by KV
Modified: 2012-10-25 03:01 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-25 03:01:09 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch for back-porting TrustedFirst capability from openssl-HEAD to 0.9.8e (2.05 KB, patch)
2012-04-04 07:52 EDT, KV
no flags Details | Diff
httpd/mod_ssl patch for TrustedFirst at VHost level (4.72 KB, patch)
2012-04-04 07:53 EDT, KV
no flags Details | Diff

  None (edit)
Description KV 2012-04-04 07:52:14 EDT
Created attachment 575098 [details]
Patch for back-porting TrustedFirst capability from openssl-HEAD to 0.9.8e

Description of problem:

For PKI / SSL Client Authentication, under a configuration situation that includes "cross-certification" of Certificate Authorities, valid users may be refused access to permitted resources due to a combination of configuration.  It should be possible to check the client-offered certificates/certificate-chain against the local "trusted" set of certificates, rather than just verifying the root of the client-offered chain.  OpenSSL has added this in the latest (HEAD), and I would like to see it back-ported.

Version-Release number of selected component (if applicable):

OpenSSL 0.9.8e / 1.0; fix from HEAD.

How reproducible:

Always

Steps to Reproduce:
1. Configure a server for SSL Client Authentication with a self-signed root CA
2. Configure a client with a cross-certified copy of that "root" CA
3. Attempt to access a resource with valid client certificate
  
Actual results:

Client refused with "Error Unknown Local Issuer."

Expected results:

Clients can access the protected resource.

Additional info:

I've attached the patch for OpenSSL against RHEL/CentOS 5 0.9.8e; I've got one for httpd/mod_ssl as well.
Comment 1 KV 2012-04-04 07:53:23 EDT
Created attachment 575100 [details]
httpd/mod_ssl patch for TrustedFirst at VHost level

Patch for adding TrustedFirst flag to virtualhost configuration to enable upstream OpenSSL flag.
Comment 4 RHEL Product and Program Management 2012-10-10 07:48:53 EDT
Thank you for submitting this issue for consideration. Red Hat Enterprise Linux 5 has reached the end of Production 1 Phase of its Life Cycle.  Red Hat does not plan to incorporate the suggested capability in a future Red Hat Enterprise Linux 5 minor release. If you would like Red  Hat to re-consider this feature request and the requested functionality is not currently in Red Hat Enterprise Linux 6, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.

Note You need to log in before you can comment on or make changes to this bug.