Client Authentication Is Allowing Authentication From A Different CA Chain
(Doc ID 454068.1)
Last updated on NOVEMBER 07, 2023
Applies to:
Oracle HTTP Server - Version 10.1.2.1 to 11.1.1.7.0 [Release AS10gR2 to Oracle11g]Web Cache - Version 10.1.2 to 11.1.1.7.0 [Release AS10gR2 to Oracle11g]
Information in this document applies to any platform.
Web Cache - Version: 10.1.2 to 11.1.1.6
This problem can occur on any platform.
Symptoms
- Certificates have been created with the following CA hierarchy
ROOT_CA ----> SUBCA1 -----> server_subca1.crt, client_subca1.crt
|
-------------->SUBCA2 -----> server_subca2.crt, client_subca2.crt
- Webcache or HTTP Server is configured for SSL Client Authentication, and is using a Wallet with a server certificate issued by SUBCA1 (server_subca1.crt).
- The Wallet therefore contains in its Trusted Certificate list: ROOTCA and SUBCA1
- The aim is to configure Webcache or HTTP Server to use client certificates so that only users with a client certificate from SUBCA1 (client_subca1.crt) can access the site
- The problem is a client certificate generated via SUBCA2 (client_subca2.crt) can still access the site, when in theory it should not be able to
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Changes |
| Cause |
| Solution |
| References |