Client Authentication Is Allowing Authentication From A Different CA Chain
Last updated on APRIL 13, 2016
Applies to:Oracle HTTP Server - Version 10.1.2.1 to 126.96.36.199.0 [Release AS10gR2 to Oracle11g]
Web Cache - Version 10.1.2 to 188.8.131.52.0 [Release AS10gR2 to Oracle11g]
Information in this document applies to any platform.
Web Cache - Version: 10.1.2 to 184.108.40.206
This problem can occur on any platform.
- Certificates have been created with the following CA hierarchy
ROOT_CA ----> SUBCA1 -----> server_subca1.crt, client_subca1.crt
-------------->SUBCA2 -----> server_subca2.crt, client_subca2.crt
- Webcache or HTTP Server is configured for SSL Client Authentication, and is using a Wallet with a server certificate issued by SUBCA1 (server_subca1.crt).
- The Wallet therefore contains in its Trusted Certificate list: ROOTCA and SUBCA1
- The aim is to configure Webcache or HTTP Server to use client certificates so that only users with a client certificate from SUBCA1 (client_subca1.crt) can access the site
- The problem is a client certificate generated via SUBCA2 (client_subca2.crt) can still access the site, when in theory it should not be able to
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms