Client Auth with S/MIME certificates - certificate purpose problem

Client Auth with S/MIME certificates - certificate purpose problem

am 11.02.2010 13:43:44 von Yaroslav

Hi all!

I have an https server with apache/2.2.12+mod_ssl/2.2.14 and OpenSSL/0.9.8g.
I want to perform authentication based on client S/MIME certificates.
Clients have certificates with only the following purposes:
- S/MIME signing
- S/MIME encryption
But no SSL client or SSL server.

So I'm getting the following error while authentication:

....
[Wed Feb 10 11:36:59 2010] [error] [client 127.0.0.1] Certificate
Verification: Error (26): unsupported certificate purpose
[Wed Feb 10 11:36:59 2010] [debug] ssl_engine_kernel.c(1893): OpenSSL:
Write: SSLv3 read client certificate B
[Wed Feb 10 11:36:59 2010] [debug] ssl_engine_kernel.c(1912): OpenSSL:
Exit: error in SSLv3 read client certificate B
[Wed Feb 10 11:36:59 2010] [debug] ssl_engine_kernel.c(1912): OpenSSL:
Exit: error in SSLv3 read client certificate B
[Wed Feb 10 11:36:59 2010] [info] [client 127.0.0.1] SSL library error 1
in handshake (server 127.0.1.1:443)
[Wed Feb 10 11:36:59 2010] [info] SSL Library Error: 336105650
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
....

I tried to solve this by customizing 'ssl_engine_init.c' from mod_ssl.
I added the following lines in ssl_init_ctx_verify function:

/*
* Configure CTX purpose
*/
if (SSL_CTX_set_purpose(ctx, X509_PURPOSE_ANY) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"Purpose successfully set");
} else {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Purpose set failed");
}

/*
* Configure Client Authentication details
*/

But it doesn't work. Seems like it's all ok with SSL_CTX_set_purpose
function and there is "Purpose successfully set" line in apache log file
but I'm still getting "unsupported certificate purpose" error.
I haven't found any certificate purpose configuration code in
mod_ssl source.

I will be grateful for any help.


Yaroslav



____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Client Auth with S/MIME certificates - certificate purpose problem

am 12.02.2010 14:35:44 von Yaroslav

I found a solution, it looks like a dirty hack and making a security
hole, but it works for our custom purposes. So I don't recommend to use
this way. Somehow it may be interested for somebody.
It's needed to patch openssl.
In 'openssl/ssl/ssl_cert.c' file, in 'ssl_verify_cert_chain' function
replace

X509_STORE_CTX_set_default(&ctx,
s->server ? "ssl_client" : "ssl_server");

by

X509_STORE_CTX_set_default(&ctx, "any");


Yaroslav
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org