Mailing List Archive

[Bug 52874] New: Support Use TrustedFirst checking when verifying client certificate chain

Bug #: 52874
Summary: Support Use TrustedFirst checking when verifying
client certificate chain
Product: Apache httpd-2
Version: 2.2.3
Platform: PC
OS/Version: Linux
Status: NEW
Severity: enhancement
Priority: P2
Component: mod_ssl
Classification: Unclassified

Client Certificate verification expects the client to provide a full
certificate chain back to a trusted root. However, with the introduction of
Cross-certification configuration, there may be multiple "valid" paths, of
differing scope. OpenSSL (HEAD/c.a. 1.0.2) has provided support for a Trusted
First flag to verification processing, and I would like to see that make it's
way back into mod_ssl.
As I'm using RHEL-5, I'd like to get EL-5 to update it's mod_ssl (and openssl),
but I'd like to get the patch into mod_ssl's "upstream," as well.

Basically, when verifying the Client certificate, the chain building process
should always check for the "next" (higher) CA Certificate to be in the
"trusted" store on the server-side, and if it finds it there, to use it;
continuing to build the chain from the server's store, ignoring the clients
store where possible. This will allow clients to provide intermediates up to a
point (making it so the server needn't track all intermediates). Once the
point of cross-certification is reached, the verification will proceed only
through the servers' version to the Roots/intermediates it trusts, rather than
needing to trust the client-offered chain -- which will vary in trust-scope.

To reproduce: 1. Generate a CA structure that has multiple roots, and issue
one of the intermediates, or one of the "Root" certificates through both CA
structures. 2. Configuration two browser-profiles; one to use each separate
chain. 3. Configure the server to trust one of the Roots, but not the other.
4. One profile should "work," and the other should result in a "Local Issuer
not found (20)" type error.
[Cross-Certification (CC) Root CA]
[Intermediate CC 1]
[Re-issued non-CC "Root" CA] <--same keys--> [Self-Signed (SS) Root CA]
\ /
\ /
\ /
[Intermediate issued from cross-certified CA]
[End-entity (user) certificate]

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail: