Client Authentication Is Allowing Authentication From A Different CA Chain
(Doc ID 454068.1)
Last updated on OCTOBER 31, 2022
Applies to:Oracle HTTP Server - Version 10.1.2.1 to 220.127.116.11.0 [Release AS10gR2 to Oracle11g]
Web Cache - Version 10.1.2 to 18.104.22.168.0 [Release AS10gR2 to Oracle11g]
Information in this document applies to any platform.
Web Cache - Version: 10.1.2 to 22.214.171.124
This problem can occur on any platform.
- Certificates have been created with the following CA hierarchy
ROOT_CA ----> SUBCA1 -----> server_subca1.crt, client_subca1.crt
-------------->SUBCA2 -----> server_subca2.crt, client_subca2.crt
- Webcache or HTTP Server is configured for SSL Client Authentication, and is using a Wallet with a server certificate issued by SUBCA1 (server_subca1.crt).
- The Wallet therefore contains in its Trusted Certificate list: ROOTCA and SUBCA1
- The aim is to configure Webcache or HTTP Server to use client certificates so that only users with a client certificate from SUBCA1 (client_subca1.crt) can access the site
- The problem is a client certificate generated via SUBCA2 (client_subca2.crt) can still access the site, when in theory it should not be able to
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document