Bug #2937

SSL client certificate validation needs dedicated

Added by wschlich 3 months ago. Updated 2 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Missing in 1.5.x:


According to as well as SSL client certification uses the parameter "" for the list of trusted CA certificates that eligible client certificates must be signed from.
At the same time, this parameter is being used for sending out any intermediate CA certificates that were used to sign the server certificate contained in "ssl.pemfile".

This dual-use of the "" is problematic, because it would allow client certificates that would have been signed from any of the intermediate certficates from the server certificate chain.

This really, really, really should not be the case as it would allow undesired cases of successful client certificate verification.

I suggest to:

1. Add a parameter "" to be able to configure a dedicated set of CA certificates that are only being used for verifying client certificates
2. Rename "" to "" to point out it's only being used for client certificate verification
3. Rename "" to "" to point out it's only being used for client certificate verification




Updated by gstrauss 3 months ago

Thank you for the report.

It will take some work to put together a solution with a little impact as possible to current usage (intended or not), to minimize breakage of existing configs.


Updated by gstrauss 3 months ago

Perhaps the documentation needs to be made clearer.

The verify_callback() function in mod_openssl contains this comment:

        /* verify that client cert is issued by CA in
         * if both and were configured */

If I understand you correctly, this is your goal. Is that right?

If is not specified, then is used for client cert validation.

Please see the commit message for commit 9fd39690


Updated by wschlich 3 months ago

gstrauss: This seems very weird to me. According to is just a file that should contain DNs of CAs that should be hinted to clients in the TLS handshake, not actual trusted CA certificates (see also -> "but not trusted root CAs"). So, what's true here?


Updated by wschlich 2 months ago

gstrauss: Any news here? :)

Also available in: Atom