Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Bugs

[Bug 47492] New: SSLVerifyClient require_no_ca

  

 
Apache bugs RSS feed   Index | Next | Previous | View Threaded


bugzilla at apache

Jul 7, 2009, 6:45 PM

Post #1 of 1 (149 views)
Permalink
[Bug 47492] New: SSLVerifyClient require_no_ca
https://issues.apache.org/bugzilla/show_bug.cgi?id=47492

Summary: SSLVerifyClient require_no_ca
Product: Apache httpd-2
Version: 2.2.11
Platform: All
URL: http://dig.csail.mit.edu/2009/mod_ssl-require_no_ca/mo
d_ssl-2.2.11-require_no_ca.patch
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
AssignedTo: bugs[at]httpd.apache.org
ReportedBy: presbrey[at]gmail.com


Created an attachment (id=23937)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=23937)
SSLVerifyClient require_no_ca patch for httpd-2.2.11

This patch submission implements an additional option for the SSLVerifyClient
directive: require_no_ca. When configured, this option requires that clients
present SSL certificates but allows certificates issued by CAs unknown to the
server.

This feature is especially useful for SSL-based authentication schemes
implementing trust models independent of typical enterprise CA/chain
verification. The optional_no_ca option is insufficient for widely-deployed
solutions of this fashion since "'optional' doesn't work with all browsers"
[1].

One example making use of this configuration is the FOAF+SSL [2] protocol which
allows a client to assert an identity specified as a URI in the X509v3
extension subjectAltName of their certificate. After SSL negotiation by
mod_ssl, mod_authn_webid [3] pulls the URI via ssl_ext_lookup, calculates the
modulus and exponent of the client certificate, and authenticates the user to
this URI identity if the mod/exp published at the URI match those of the
presented certificate.

Please consider this short patch for inclusion. It applies cleanly to release
2.2.11.

[1] http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslverifyclient
[2] http://esw.w3.org/topic/foaf+ssl
[3] http://dig.csail.mit.edu/2009/mod_authn_webid/

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: bugs-help[at]httpd.apache.org

Apache bugs RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.