[Bug 62769] New: no dedicated handling of frontend and backend TLS connections anymore in the context of clientside client certificate authentication.
Bug ID: 62769
Summary: no dedicated handling of frontend and backend TLS
connections anymore in the context of clientside
client certificate authentication.
Product: Apache httpd-2
Target Milestone: ---
Apache in reverse proxy mode with clientside certificate authentication
configured and TLS connection to the backend via Proxypass (mod_proxy)
After an update from
Apache/2.4.29 (Unix) OpenSSL/1.1.0g to
Apache/2.4.34 (Unix) OpenSSL/1.1.0i
with no configuration change the Apache error log did throw many erros:
[Thu Sep 27 18:47:26 2018] [error] [pid 32166] ssl_engine_kernel.c(1688):
[client 10.227.8.133:11443] AH02039: Certificate Verification: Error (19): self
signed certificate in certificate chain
[Thu Sep 27 18:47:26 2018] [error] [pid 32166] ssl_engine_kernel.c(1714):
[client 10.227.8.133:11443] AH02040: Certificate Verification: Certificate
Chain too long (chain has 2 certificates, but maximum allowed are only 1)
Figured out that the complains were caused by some new behaviour in checking
the backend server certificate. I could omit the AH02040 by setting
SSLVerifyDepth from 1 to 2. And here my confusion starts.
Why does it affect the backend side TLS connection if I configure parameters
for the frontside TLS connection? We have only one level of CA hierarchy for
client certificates and I dont want to set 2 here.
I was not able to overcome the AH02039 error. The certificate chain of the
backend servers certificate is not interesting on reverse proxy level and was
not needed the last decades of years. Something changed which messed this up.
Or is it wanted behaviour introduced by a new feature? I cannot find anything
in the release notes of Apache or Openssl.
SSLOptions +StdEnvVars +ExportCertData
You are receiving this mail because:
You are the assignee for the bug.
To unsubscribe, e-mail: bugs-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: bugs-help@xxxxxxxxxxxxxxxx