git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 62769] New: no dedicated handling of frontend and backend TLS connections anymore in the context of clientside client certificate authentication.


https://bz.apache.org/bugzilla/show_bug.cgi?id=62769

            Bug ID: 62769
           Summary: no dedicated handling of frontend and backend TLS
                    connections anymore in the context of clientside
                    client certificate authentication.
           Product: Apache httpd-2
           Version: 2.4.34
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@xxxxxxxxxxxxxxxx
          Reporter: gunnar.lukas@xxxxxxx
  Target Milestone: ---

Apache in reverse proxy mode with clientside certificate authentication
configured and TLS connection to the backend via Proxypass (mod_proxy)

After an update from 

Apache/2.4.29 (Unix) OpenSSL/1.1.0g to 
Apache/2.4.34 (Unix) OpenSSL/1.1.0i

with no configuration change the Apache error log did throw many erros:

[Thu Sep 27 18:47:26 2018] [error] [pid 32166] ssl_engine_kernel.c(1688):
[client 10.227.8.133:11443] AH02039: Certificate Verification: Error (19): self
signed certificate in certificate chain
[Thu Sep 27 18:47:26 2018] [error] [pid 32166] ssl_engine_kernel.c(1714):
[client 10.227.8.133:11443] AH02040: Certificate Verification: Certificate
Chain too long (chain has 2 certificates, but maximum allowed are only 1)

Figured out that the complains were caused by some new behaviour in checking
the backend server certificate. I could omit the AH02040 by setting
SSLVerifyDepth from 1 to 2. And here my confusion starts.

Why does it affect the backend side TLS connection if I configure parameters
for the frontside TLS connection? We have only one level of CA hierarchy for
client certificates and I dont want to set 2 here.

I was not able to overcome the AH02039 error. The certificate chain of the
backend servers certificate is not interesting on reverse proxy level and was
not needed the last decades of years. Something changed which messed this up.
Or is it wanted behaviour introduced by a new feature? I cannot find anything
in the release notes of Apache or Openssl.


SSLCertificateFile      server.crt
SSLCertificateKeyFile   server.key
SSLCACertificateFile    client-ca.crt
SSLCertificateChainFile Server_CA.crt
SSLOptions              +StdEnvVars +ExportCertData

SSLProxyCheckPeerName off
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off

<VirtualHost *:443>
   ServerName test.com
   SSLEngine      on
   SSLProxyEngine on

   <Location /portal>
      ProxyPass         https://1.2.3.4/portal 
      ProxyPassReverse  https://1.2.3.4/portal
      SSLRequireSSL
      SSLVerifyClient         require
      SSLVerifyDepth          2
   </Location>
</VirtualHost>

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: bugs-help@xxxxxxxxxxxxxxxx