Client Authentication Is Allowing Authentication From A Different CA Chain (Doc ID 454068.1)

Last updated on APRIL 13, 2016

Applies to:

Oracle HTTP Server - Version 10.1.2.1 to 11.1.1.7.0 [Release AS10gR2 to Oracle11g]
Web Cache - Version 10.1.2 to 11.1.1.7.0 [Release AS10gR2 to Oracle11g]
Information in this document applies to any platform.
Web Cache - Version: 10.1.2 to 11.1.1.6
This problem can occur on any platform.

Symptoms

- Certificates have been created with the following CA hierarchy

ROOT_CA ----> SUBCA1 -----> server_subca1.crt, client_subca1.crt
     |
     -------------->SUBCA2 -----> server_subca2.crt, client_subca2.crt

- Webcache or HTTP Server is configured for SSL Client Authentication, and is using a Wallet with a server certificate issued by SUBCA1 (server_subca1.crt).
- The Wallet therefore contains in its Trusted Certificate list: ROOTCA and SUBCA1
- The aim is to configure Webcache or HTTP Server to use client certificates so that only users with a client certificate from SUBCA1 (client_subca1.crt) can access the site
- The problem is a client certificate generated via SUBCA2 (client_subca2.crt) can still access the site, when in theory it should not be able to

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms